Page 2 of 2 FirstFirst 12
Results 11 to 13 of 13

Thread: Ho to convert Susefirewall2 FW_FORWARD_MASQ to firewalld

  1. #11

    Default Re: Ho to convert Susefirewall2 FW_FORWARD_MASQ to firewalld

    Code:
     # lsmod | grep nf_nat_ftp
    Code:
    nf_nat_ftp             16384  0
    nf_conntrack_ftp       20480  1 nf_nat_ftp
    nf_nat                 32768  6 xt_nat,nf_nat_ftp,nf_nat_masquerade_ipv6,nf_nat_ipv6,nf_nat_masquerade_ipv4,nf_nat_ipv4
    nf_conntrack          155648  15 xt_nat,nf_conntrack_ipv6,nf_conntrack_ftp,nf_conntrack_ipv4,ipt_MASQUERADE,nf_conntrack_broadcast,nf_nat_ftp,nf_nat_masquerade_ipv6,nf_conntrack_netbios_ns,nf_nat_ipv6,nf_nat_masquerade_ipv4,ip6t_MASQUERADE,xt_conntrack,nf_nat_ipv4,nf_nat




    External.xml:
    Code:
    <?xml version="1.0" encoding="utf-8"?>
    <zone>
      <short>External</short>
      <description>For use on external networks. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
      <interface name="eth3"/>
      <service name="ssh"/>
      <service name="dns"/>
      <service name="ftp"/>
      <service name="apache2"/>
      <service name="apache2-ssl"/>
      <service name="openvpn"/>
      <service name="svn"/>
      <port port="1956" protocol="tcp"/>
      <masquerade/>
      <rule family="ipv4">
        <source address="a.b.c.149"/>
        <destination address="192.168.168.5"/>
        <forward-port port="21" protocol="tcp" to-port="21"/>
        <log level="info"/>
      </rule>
      <rule family="ipv4">
        <source address="a.b.c.150"/>
        <destination address="192.168.168.6"/>
        <forward-port port="21" protocol="tcp" to-port="21"/>
        <log level="info"/>
      </rule>
      
      <rule family="ipv4">
        <source address="a.b.c.149"/>
        <destination address="192.168.168.5"/>
        <forward-port port="60000-60100" protocol="tcp" to-port="60000-60100" to-addr="192.168.168.5" />
        <log level="info"/>
      </rule>
      <rule family="ipv4">
        <source address="a.b.c.150"/>
        <destination address="192.168.168.6"/>
        <forward-port port="60000-60100" protocol="tcp" to-port="60000-60100" to-addr="192.168.168.6" />
        <log level="info"/>
      </rule>
    </zone>
    And I have no changes at all, I have "ftp: connect: Connection refused" from any client to the two different servers.
    If I restart Susefirewall2 it works perfectly

  2. #12
    Join Date
    Sep 2012
    Posts
    5,318

    Default Re: Ho to convert Susefirewall2 FW_FORWARD_MASQ to firewalld

    Quote Originally Posted by fmalfatto View Post
    Code:
    ...
        <destination address="192.168.168.5"/>
        <forward-port port="21" protocol="tcp" to-port="21"/>
    ...
        <destination address="192.168.168.6"/>
        <forward-port port="21" protocol="tcp" to-port="21"/>
    I have "ftp: connect: Connection refused" from any client to the two different servers.
    If you need to-addr in one rule, you also need to-addr in another rule.

  3. #13

    Default Resolved: How to convert Susefirewall2 FW_FORWARD_MASQ to firewalld

    TY!!!

    I was confused by "destination address" line and "to-addr" value. The manual is not clear about this. The destination address is the external public address where to send the packets, and to-addr is the internal address where packets are targeted.
    Resolved this way:

    Code:
    <rule family="ipv4">
      <destination address="a.b.c.149"/>
      <forward-port port="21" protocol="tcp" to-port="21" to-addr="192.168.168.5"/>
     </rule>
     <rule family="ipv4">
      <destination address="a.b.c.149"/>
      <forward-port port="60000-60100" protocol="tcp" to-port="60000-60100" to-addr="192.168.168.5" />
     </rule>
    
    <rule family="ipv4">
      <destination address="a.b.c.150"/>
      <forward-port port="21" protocol="tcp" to-port="21" to-addr="192.168.168.6"/>
     </rule>
     <rule family="ipv4">
      <destination address="a.b.c.150"/>
      <forward-port port="60000-60100" protocol="tcp" to-port="60000-60100" to-addr="192.168.168.6" />
     </rule>

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •