Answer the question
In order to leave comments, you need to log in
N
N
Nikolai2017-06-20 13:01:27
Nikolai, 2017-06-20 13:01:27
How to implement port forwarding in firewalld?
Initial data:
1) Debian jessie server as a gateway, which has 3 network interfaces - one looks outward (eth0), the other into the LAN (eth1), the third (tun0) openvpn server
2) the first NGINX server in the local network (192.168. 0.100), has one interface with ports 80 and 443 open
3) openvpn clients that connect to the gateway and have access to the LAN
4) a second NGINX server on the LAN (192.168.0.50), has one interface with port 80 open
On the gateway ports 80 and 443 are forwarded to the first NGINX server in order to redirect external connections to the gateway according to the port data to the first nginx server in the local network.
Task:
1) it is necessary that all openvpn clients connected to the gateway have
access to the second nginx server on port 80 use the gateway to access the Internet
Since the gateway has enabled forwarding of 80 and 443 ports to the local server, all http traffic of openvpn clients also goes to it.
Here are the firewall-cmd rules
internal (active)
interfaces: eth1
sources:
services: dhcpv6-client dns http https mdns samba-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
public (default, active)
interfaces: eth0
sources:
services: openvpn ssh
ports: 1194/tcp 443/tcp 80/tcp
masquerade: yes
forward-ports: port=443:proto=tcp:toport=443:toaddr=192.168.0.100
port=80:proto=tcp:toport=80:toaddr=192.168.0.100
icmp-blocks:
rich rules:
trusted (active)
interfaces: lo tun0
sources:
services:
ports:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:Tried removing forwarding and adding rules
firewall-cmd --direct --add-rule ipv4 nat PREROUTING 0 -i eth0 -o eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.100:80
firewall-cmd -—permanent --direct --add-rule ipv4 nat POSTROUTING 0 -o eth1 -p tcp -s 192.168.0.0/24 -d 192.168.0.100 --dport 80 -j SNAT --to-source 192.168.0.1:80
firewall-cmd -—permanent --direct --permanent --add-rule ipv4 filter FORWARD 0 -i eth0 -o eth1 -d 192.168.0.100 -p tcp --dport 80 -j ACCEPTdid not help - without forwarding, the redirect of external connections to the first NGINX server does not work.
I remove forward-ports and everything works for openvpn clients.
Here is an example of a request from an openvpn client with forwarding enabled
curl -I 192.168.0.50
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Tue, 20 Jun 2017 09:34:59 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Keep-Alive: timeout=70
Location: https://example.com/where example.com is the DNS address of the server on the local network
And here is the request from the same openvpn client with forwarding disabled
curl -I 192.168.0.50
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 20 Jun 2017 09:29:43 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Last-Modified: Tue, 20 Jun 2017 09:29:43 GMT
X-Frame-Options: SAMEORIGIN
Set-Cookie: PHPSESSID=rft076rvb7d0a8fbou76ul5dqegvgitu; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Similar questions
A
J
A
Anton2014-08-16 18:10:36
How to forward ports from debian ovpn server for client e2k and torrent?
0Reply
V
D
Dima Petrov2016-09-11 14:51:05
How to forward the iptabless port to the network behind the VPN?
2Reply
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question