Firewalld: allow forwarding from source list to destination list

Support for security such as Firewalls and securing linux
Post Reply
yurybx
Posts: 8
Joined: 2019/03/05 13:09:37

Firewalld: allow forwarding from source list to destination list

Post by yurybx » 2020/11/23 15:24:13

Is it possible?
I am going to migrate my router from FreeBSD to CentOS. Now I am using PF (Packet Filter) as a firewall on FreeBSD, also an OpenVPN server is configured on my router, and with the help of the PF, I allow certain users to access certain servers. To do this, I have a line in the PF rules:

Code: Select all

pass in on tun0 from { 10.1.0.23 10.1.0.45 10.1.0.76 10.1.0.92 } to { 10.1.1.51 10.1.1.52 10.1.1.57 10.1.1.68 10.1.1.35 }
How can I make a similar rule in FirewallD on CentOS? Or is it better to use a different firewall for this? If so, which one?

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Firewalld: allow forwarding from source list to destination list

Post by jlehtone » 2020/11/23 22:22:33

CentOS 8 has effectively two options:
  1. firewalld.service
  2. nftables.service
Upstream writes in https://firewalld.org/2020/09/policy-ob ... troduction
With some exceptions (e.g. masquerade, forward-ports) firewalld was previously limited to being an end-station firewall. This meant you could not use it to filter traffic flowing between virtual machines, containers, and zones. A subset of that functionality was available by using the direct interface and writing your own iptables rules, but it wasn’t a great user experience
Red Hat writes in https://access.redhat.com/documentation ... networking
  • firewalld: Use the firewalld utility to configure a firewall on workstations. The utility is easy to use and covers the typical use cases for this scenario.
  • nftables: Use the nftables utility to set up complex firewalls, such as for a whole network.
  • iptables: The iptables utility on Red Hat Enterprise Linux 8 uses the nf_tables kernel API instead of the legacy back end. The nf_tables API provides backward compatibility so that scripts that use iptables commands still work on Red Hat Enterprise Linux 8. For new firewall scripts, Red Hat recommends to use nftables.
Your rule might be feasible with nftables sets. See http://wiki.nftables.org/wiki-nftables/index.php/Sets

yurybx
Posts: 8
Joined: 2019/03/05 13:09:37

Re: Firewalld: allow forwarding from source list to destination list

Post by yurybx » 2020/11/24 13:59:52

Thank you very much! It looks like this is what I need.

BShT
Posts: 584
Joined: 2019/10/09 12:31:40

Re: Firewalld: allow forwarding from source list to destination list

Post by BShT » 2020/11/24 19:08:32

this is working for me using iptables and centos 7
#list IP and create table
MY_NET=my_ip_list.txt
ipset create my_net hash:net
#populate table
for IPCA in $(cat ${MY_NET} | egrep -v "^#"); do
ipset -A my_net ${IPCA}
done
#permit from <- > to
iptables -t nat -A PREROUTING -s 10.0.0.0/22 -m set --match-set my_net dst -j ACCEPT
iptables -A FORWARD -m set --match-set my_net src,dst -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.0.0/22 -m set --match-set my_net dst -j MASQUERADE

Post Reply