Hello,
I searched these forums and saw some similar topic, but no apparent solution to my problem. So I'm starting a new one.
I'm trying to set up a CentOS 7 server to act as a proxy between "the Internet" (well, corporate network) and a specific set of services (remote desktop) in an internal network, using the new firewalld interface. Routing is enabled, I have firewalld configured with masquerading and port-forwarding. Connection attempts make it all the way to the services on the internal network, but the source IP that the internal server sees is the original client IP, and there is no route for the return packet so the connection fails. Adding a default route is a possible workaround, but will complicate other aspects of the internal network setup.
Setup is pretty straightforward, external zone assigned to external NIC:
[root@proxy ~]# firewall-cmd --list-all --zone=external
external (active)
interfaces: ens192
sources:
services: ssh
ports:
masquerade: yes
forward-ports: port=10001:proto=tcp:toport=3389:toaddr=1.1.1.16
icmp-blocks:
rich rules:
Internal zone assigned to internal NIC:
[root@proxy ~]# firewall-cmd --list-all --zone=internal
internal (active)
interfaces: ens160
sources:
services: dhcpv6-client ipp-client mdns samba-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
An an example of what the packet looks like on the internal network (on 1.1.1.16, the source IP is 3.3.3.3 - yes, I'm masking the real values out).
[root@proxy ~]# tcpdump -i ens160 port 3389
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 65535 bytes
21:06:52.678672 IP 3.3.3.3.60156 > 1.1.1.16.ms-wbt-server: Flags , seq 1362892959, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
I was hoping that firewalld would NAT the packets, so that the internal service would see the CentOS 7 (internal) IP as the source. Is this not possible? Do I have to just punt on firewalld and go straight to iptables, which I believe would work?
Any advice would be greatly appreciated. Thank you.
Michael
Port-forwarding, masquerading, NAT'ing firewalld config?
Re: Port-forwarding, masquerading, NAT'ing firewalld config?
And it hit me soon after I posted this. Turn masquerade on on the internal zone and voila.