External-to-internal port forwarding using firewalld on CentOS 7.

External-to-internal port forwarding using firewalld on CentOS 7.

Simple and efficient way to forward ports from external gateway to your internal resources.
In this case it was quite simple task to forward external request on TCP port 2000 to internal address and TCP port 22 to get ssh connection established.

To achieve this use one-liner presented below:
 
firewall-cmd --zone=external --add-forward-port=port=2000:proto=tcp:toport=22:toaddr=<internal ip-address> --permanent

In details this lines means next:

firewall-cmd - we executing firewalld CLI client.

--zone=external - we specifying external zone where our external resource is located.

--add-forward-port=port=2000: - add external port which will be accessible from outside and from which one the forwarding will be done to internal resource and port.

proto=tcp: - specify target protocol.

toport=22: - specify port in the internal resource which is a port on target resource we trying to reach.
toaddr=<internal ip-address> - specify target address in internal network segment.

If you want to revert the change and delete record done just use one-liner below:
firewall-cmd --zone=external --add-remove-port=port=2000:proto=tcp:toport=22:toaddr=<internal ip-address> --permanent
As you can see the only difference is that we use --add-remove-port instead of --add-forward-port.

Hope it will help someone with similar tasks.Thanks and more articles coming soon!

Simple NAT gateway on CentOS 7.

Simple NAT gateway on CentOS 7.

Quite often there is a need to organize simple NAT gateway for different purposes (mostly for test environments and when we're lacking of network equipment that can be used).

This example will show how to configure NAT gateway base on CentOs 7 server using firewalld. To operate with firewalld deamon we will use firewall-cmd client.

According to official description from firewalld.org (http://www.firewalld.org/documentation/man-pages/firewall-cmd.html):
"The firewall-cmd is the command line client of the firewalld daemon. It provides interface to manage runtime and permanent configuration.

The runtime configuration in firewalld is separated from the permanent configuration. This means that things can get changed in the runtime or permanent configuration."

Source configuration consists of two servers:

1) gw01.test.lab
 eth0 - DHCP configuration received from ISP.
 eth1 - 10.0.0.1/24

2) srv01.test.lab
eth0 - 10.0.0.2/24 (GW 10.0.0.1 and DNS servers from ISP).

Step below will help you to configure our solution step by step.

Step 1. Enable packet forwarding.

Modify /etc/sysctl.conf file using your favorite text editor adding parameter specified below:

net.ipv4.ip_forward = 1

To avoid reboot do the same change on fly using sysctl:

sysctl -w net.ipv4.ip_forward=1

After modification of sysctl.conf was done we need to enable those changes:

sysctl -p /etc/sysctl.conf

Step 2. Add network interfaces to proper zones using fiirewall-cmd.

firewall-cmd --zone=external --add-interface=eth0 --permanent
firewall-cmd --zone=internal --add-interface=eth1 --permanent

In case if mistake was done you can always delete wrong assignment using next command:

firewall-cmd --zone=<zone name> --remove-interface=<interface name>

Step 3. Reload firewall configuration

firewall-cmd --reload

Step 4. Check if configuration was successfully accepted

firewall-cmd --list-all-zones

Step 5. Enable masquerade for those interfaces which are in external zoneIP Masquerade is a networking function in Linux similar to the one-to-many (1:Many) NAT (Network Address Translation) servers found in many commercial firewalls and network routers. For example, if a Linux host is connected to the Internet via PPP, Ethernet, etc., the IP Masquerade feature allows other "internal" computers connected to this Linux box (via PPP, Ethernet, etc.) to also reach the Internet as well.

firewall-cmd --zone=external --add-masquerade --permanent

Step 6. Configure NAT rule for the external interface on gateway server

firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o eth0 -j MASQUERADE -s 10.0.0.0/24

Step 7. Allow traffic for specific services to be allowed in internal zone

firewall-cmd --permanent --zone=internal --add-service=<service name>

In my case only dns and ssh was needed to be allowed:

firewall-cmd --permanent --zone=internal --add-service=dns
firewall-cmd --permanent --zone=internal --add-service=ssh
Step 8. Reload configuration once again

firewall-cmd --reload

Hope it will help someone for quick configuration of NAT gateway.

Thanks and more articles coming soon!