SOLVED: firewalld Multiple WAN IPs 1 interface help

Issues related to configuring your network
Post Reply
meluvalli
Posts: 12
Joined: 2019/08/09 20:59:14

SOLVED: firewalld Multiple WAN IPs 1 interface help

Post by meluvalli » 2019/08/10 08:56:41

Firewall doesn't work.

I have setup eth0:2 setup with rules and they are completely ignored.

(XX XX XX XX is my IP)
firewall-cmd --permanent --new-zone=XX_XX_XX_XX
firewall-cmd --change-interface=eth0:2 --zone=XX_XX_XX_XX --permanent

Zone is created, verified zone-list that eth0:2 is in this zone.

XX_XX_XX_XX (active)
target: default
icmp-block-inversion: no
interfaces: eth0:2
sources: XX.XX.XX.XX/32
services:
ports:
protocols:
masquerade: no
forward-ports: port=443:proto=tcp:toport=443:toaddr=192.168.1.100
source-ports:
icmp-blocks:
rich rules:


Rebooted server and still no work. If I try to access my external IP address port 443, firewall blocks it. WHY????
Last edited by meluvalli on 2019/08/14 08:08:46, edited 2 times in total.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: firewall-cmd doesn't work.

Post by jlehtone » 2019/08/11 08:23:59

IMHO your issue description "doesn't work" either; there might be details omitted.

However, a websearch on the mentioned details does pull up:
https://serverfault.com/questions/70026 ... lias-eth00

meluvalli
Posts: 12
Joined: 2019/08/09 20:59:14

Re: firewalld Multiple WAN IPs 1 interface help

Post by meluvalli » 2019/08/12 07:56:49

Good to know! That does help a little :)

But I am not sure then how to use firewalld to open ports based on source IP. I tried creating zones by source IP address, but this didn't work :(. So, if anyone knows how to open firewall based off WAN IP instead of interface, this would be really helpful!

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: firewalld Multiple WAN IPs 1 interface help

Post by jlehtone » 2019/08/12 09:40:57

What do you mean "by source IP"? The issue might be due to firewalld-terminology.

meluvalli
Posts: 12
Joined: 2019/08/09 20:59:14

Re: firewalld Multiple WAN IPs 1 interface help

Post by meluvalli » 2019/08/12 21:43:04

I created a zone:
firewall-cmd --permanent --new-zone="[MyNewZoneName]"

I tried adding a zone by source using the below command:
firewall-cmd --permanent --zone="[MyNewZoneName]" --add-source="[MyExternalIP]/[Mask]"

Then added the following rule:
firewall-cmd --zone="[MyNewZoneName]" --add-forward-port=port=443:proto=tcp:toport=443:toaddr=[My Internal IP] --permanent

Followed by:
firewall-cmd --complete-reload

This didn't work. Only rules that apply still are the ones on my MAIN WAN IP under zone "External". If the rule isn't in there, the rule doesn't work. However, I don't know how to add a rule in the "External" zone to only work on my alias IP if that makes sense.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: firewalld Multiple WAN IPs 1 interface help

Post by jlehtone » 2019/08/13 07:32:39

An incoming packet is directed to a zone
1. if its source address matches that zone's sources or
2. if it enters via interface of the zone

Let's say that Google sends a packet to you. Packet has FROM: 8.8.8.8, TO: aliasIP:443
IF you have zone that contains 8.8.8.8 in sources
THEN that zone will handle the packet
ELSE zone of eth0 (external) will handle the packet

The packets that arrive from outside (like 8.8.8.8) are not from alias-on-eth0:2.

The solution on serverfault shows that you can have a service on a zone that matches only a specific TO address (rather than all aliases). Alas, the forward-port does not have that option.


I think the rich language has enough options:

Code: Select all

man firewalld.richlanguage

Code: Select all

--zone=external
  --add-rich-rule='rule family="ipv4" destination address="aliasIP" forward-port to-addr="192.168.1.100" to-port="443" protocol="tcp" port="443"'

meluvalli
Posts: 12
Joined: 2019/08/09 20:59:14

Re: firewalld Multiple WAN IPs 1 interface help

Post by meluvalli » 2019/08/14 03:03:57

THANK YOU, THANK YOU, THANK YOU!!!!

All is working on this part now!!!! REALLY APPRECIATE IT!!!!!

:D :D :D :D

Post Reply