I'm trying to do the equivalent of this iptables rule in firewalld
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
How can I do this?
6
To set up masquerading on the external zone, type:
# firewall-cmd --zone=external --add-masquerade
external: For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
internal: For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
For reference:
1
You do not use directly rules like that. You simply put your interface (eth0) into external zone, which is already preconfigured in RHEL7/CentOS7 and it has masquerade turned on, or you can enable masquerading on the zone your interface is in. By default it's public. So the correct answer would be either:
# firewall-cmd --zone=public --add-masquerade
or
# firewall-cmd --change-zone=eth0 --zone=external
That is really all you need to do. To enable NAT only for particular subnet or range, you need Rich Rule or Direct rule. That's bit more complex. You can also simply refuse packets for others which seems also an option.
0
Alternatively you can add the rule to your: /etc/firewalld/direct.xml file eg.
<?xml version="1.0" encoding="utf-8"?> <direct> ... <rule priority="0" table="filter" ipv="ipv4" chain="POSTROUTING">-table nat -jump MASQUERADE --source 10.8.0.0/24 --out-interface eth0</rule> </direct>
Then:
firewall-cmd --reload
您阅读本篇文章共花了: 
支付宝微信扫一扫,打赏作者吧~本文链接:https://kinber.cn/post/758.html 转载需授权!
推荐本站淘宝优惠价购买喜欢的宝贝:
ALREADY_ENABLED. Should that be the case? – Jacob Tomlinson Aug 22 '14 at 12:5810.8.0.0/24in your config. – Jacob Tomlinson Aug 22 '14 at 13:54