NAT router with 2 interfaces, how to do with firewalld and Centos 9 Stream

Hello,
I’m trying to migrate C8s to C9s, and I need to recreate a machine with two interfaces, one WAN that does NAT, and one LAN.
WAN (ens192) is in zone “external”, with forward and masquerade set to yes.
LAN (ens224) is in zone “internal”, with forward and masquerade set to no.
I have /proc/sys/net/ipv4/ip_forward set to 1.
I must set target for internal to ACCEPT for packets to be NAT/Forwarded. Otherwise, everything is blocked. But if I do that, then any machine on the internal zone can for example ssh to my gateway.
With Centos8Stream, same parameters (unless I’m mistaken), the internal zone was set to default, and ssh to the machine acting as a NAT/masquerade router was blocked.

Just copy your firewalld config files to the new system.
Provided the interfaces have the same names it should work.

I have been upgrading my Fedora bases firewall across many releases and the firewall continued to work.

Hello Barry,
Thanks for the reply.
When you say “your firewall config files”, are you referring to the ones in /etc/firewalld/ ? I didn’t copy them, I recreate the configuration using firewall-cmd, but I made sure they were having the same content.
Fact is C8s is using firewalld 0.9.4 and C9s is based on 1.3.4, and having the same configuration files doesn’t mean the behavior is the same (some breaking changes are know, such as the forward parameter in zone).

Your comment about requirements and forward parameter suggests you know what you are doing.

Assuming you are an admin isn’t this a simple firewall you need to configure?
I assume this is covered in the docs?

I have not done this from scratch in a long while, but the docs made sense when I did do the setup.

sudo firewall-cmd --permanent --new-policy=internal-external
sudo firewall-cmd --permanent --policy=internal-external --set-target=ACCEPT
sudo firewall-cmd --permanent --policy=internal-external --add-masquerade
sudo firewall-cmd --permanent --policy=internal-external --add-ingress-zone=internal
sudo firewall-cmd --permanent --policy=internal-external --add-egress-zone=external
sudo firewall-cmd --reload

Policy Objects: Introduction | firewalld

1 Like