FirewallCMD + Rich rule + Masquerade

[bertalanimre]

Hey Forum,

I hope you can help me cause this is starting to be mindblowing for me.

I have something like this as an IT architecture:

Inner Server ---> Inner Firewall ---> Inner Loadbalancer ---> INTERNET ---> Farside LoadBalancer ---> Farside Firewall ---> Farside Server

Now between the Inner server and the Farside server I have a good connection, if I add masquerade for the external network card/zone on my Inner Firewall that leads to the loadbalancer. However I wish to deny basically any incoming connection from the internet towards my inner architecture. Therefore I'm going to add a rich rule to the loadbalancer to drop anything that isn't coming from a specific MAC address or IP range. This is OK.

However, I've came across an issue. The dev. team created a console command that needs to run every minute on the inner server and that basically fetches information from the farside server. If I'm removeing the masquerade from the inner firewals external zone/NIC, then the command failes since the server has no route to the domain hosted on the farside server. The exact error looks like this:

Code: Select all

In CurlFactory.php line 185:
                                                                                                                                            
  cURL error 7: Failed connect to uploads.mydomain.com:443; No route to host (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)

I don't want to allow masquerade on the firewall, since that will expose the inner server to the internet in a way. Is there any rich rule that allows using masquerade only when a request is being sent to a specific domain?

I hope this is challenging for you guys as well and not just I'm being a noob (again).

Regards:
Bert

[bertalanimre]

I love this forum. Whenever I post a question, I usually find the answer in a few minutes.

https://www.rootusers.com/how-to-use-fi ... g-and-nat/

I'm gonna try this right now and see if it works but instead of source, I'll designate a destination

In this example any packet sent to addresses defined in the zone ‘testing’ will be masqueraded. Rich rules can be used for more granular control.

Code: Select all

[root@centos7 ~]# firewall-cmd --permanent --zone=testing --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 masquerade'
success

UPDATE:

AAAAND not.....

[bertalanimre]

I'm starting to realize this is more tricky than I've expected.

I have 2 NICs in my Inner Firewall, thus I have 2 firewall zones applied

Code: Select all

external (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: ssh http https
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

frontend (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth1
  sources: 
  services: http https ssh dns
  ports: 6556/tcp
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source NOT address="10.0.1.0/29" drop

Obviously the ETH0 is facing towards the LoadBalancer/Internet and the ETH1 is looking towards the Inner Server.

When I enter

Code: Select all

firewall-cmd --zone=external --add-masquerade

the script works and I can reach the internet from the Inner server. But since I don't want that to happen, I have to remove the masquerade from the external zone. If I do that, internet access is denied, but the other way around as well.

Any ideas?