firewalld to allow routing without NAT between NICs
As a network adminstrator, I often have to set up network gear for remote sites before shipping it.
I have found it convenient to use a linux workstation with two network cards, setting the secondary NIC to an IP address in the same subnet as the equipment I'm setting up will use in the remote site.
company network--(eth0)-- fedora --(eth1)--- config network
I've enabled routing through the workstation, and can add routes to the new subnet pointing at the linux workstation's primary NIC and can ping through the workstation to the network gear I'm setting up, but tcp connections don't get through without shutting down firewalld.
I've looked in the gui and searched around for how to add a rule allowing any traffic destined to the configuration network NIC's device name, but all the entries I find want to NAT/Masquerade the inside network to the outside, and I don't want to do that - I occasionally need to allow access to the config network to co-workers at other sites, so masquerading would not be useful
Also, the IP addresses of the config network are usually different for each device or set of devices I'm setting up, which is why I was hoping to find a way to set the rule by interface name vs. IP addresses.
Firewalld's Rich Rules has a Destination field, but it only seems to take address/mask, not interface.
Any ideas? I'm guessing I'm going to be stuck reverting to iptables vs. firewalld, and advice on switching Fedora 29 from firewalld to iptables and iptables command(s) to accomplish this rule would be welcome as well.
linux fedora iptables routing firewalld
asked Jan 8 at 16:30
Adam JohnsonAdam Johnson
211
New contributor
Adam Johnson is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
As a network adminstrator, I often have to set up network gear for remote sites before shipping it.
I have found it convenient to use a linux workstation with two network cards, setting the secondary NIC to an IP address in the same subnet as the equipment I'm setting up will use in the remote site.
company network--(eth0)-- fedora --(eth1)--- config network
I've enabled routing through the workstation, and can add routes to the new subnet pointing at the linux workstation's primary NIC and can ping through the workstation to the network gear I'm setting up, but tcp connections don't get through without shutting down firewalld.
I've looked in the gui and searched around for how to add a rule allowing any traffic destined to the configuration network NIC's device name, but all the entries I find want to NAT/Masquerade the inside network to the outside, and I don't want to do that - I occasionally need to allow access to the config network to co-workers at other sites, so masquerading would not be useful
Also, the IP addresses of the config network are usually different for each device or set of devices I'm setting up, which is why I was hoping to find a way to set the rule by interface name vs. IP addresses.
Firewalld's Rich Rules has a Destination field, but it only seems to take address/mask, not interface.
Any ideas? I'm guessing I'm going to be stuck reverting to iptables vs. firewalld, and advice on switching Fedora 29 from firewalld to iptables and iptables command(s) to accomplish this rule would be welcome as well.
linux fedora iptables routing firewalld
asked Jan 8 at 16:30
Adam JohnsonAdam Johnson
211
New contributor
Adam Johnson is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
As a network adminstrator, I often have to set up network gear for remote sites before shipping it.
I have found it convenient to use a linux workstation with two network cards, setting the secondary NIC to an IP address in the same subnet as the equipment I'm setting up will use in the remote site.
company network--(eth0)-- fedora --(eth1)--- config network
I've enabled routing through the workstation, and can add routes to the new subnet pointing at the linux workstation's primary NIC and can ping through the workstation to the network gear I'm setting up, but tcp connections don't get through without shutting down firewalld.
I've looked in the gui and searched around for how to add a rule allowing any traffic destined to the configuration network NIC's device name, but all the entries I find want to NAT/Masquerade the inside network to the outside, and I don't want to do that - I occasionally need to allow access to the config network to co-workers at other sites, so masquerading would not be useful
Also, the IP addresses of the config network are usually different for each device or set of devices I'm setting up, which is why I was hoping to find a way to set the rule by interface name vs. IP addresses.
Firewalld's Rich Rules has a Destination field, but it only seems to take address/mask, not interface.
Any ideas? I'm guessing I'm going to be stuck reverting to iptables vs. firewalld, and advice on switching Fedora 29 from firewalld to iptables and iptables command(s) to accomplish this rule would be welcome as well.
linux fedora iptables routing firewalld
asked Jan 8 at 16:30
Adam JohnsonAdam Johnson
211
New contributor
Adam Johnson is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
As a network adminstrator, I often have to set up network gear for remote sites before shipping it.
I have found it convenient to use a linux workstation with two network cards, setting the secondary NIC to an IP address in the same subnet as the equipment I'm setting up will use in the remote site.
company network--(eth0)-- fedora --(eth1)--- config network
I've enabled routing through the workstation, and can add routes to the new subnet pointing at the linux workstation's primary NIC and can ping through the workstation to the network gear I'm setting up, but tcp connections don't get through without shutting down firewalld.
I've looked in the gui and searched around for how to add a rule allowing any traffic destined to the configuration network NIC's device name, but all the entries I find want to NAT/Masquerade the inside network to the outside, and I don't want to do that - I occasionally need to allow access to the config network to co-workers at other sites, so masquerading would not be useful
Also, the IP addresses of the config network are usually different for each device or set of devices I'm setting up, which is why I was hoping to find a way to set the rule by interface name vs. IP addresses.
Firewalld's Rich Rules has a Destination field, but it only seems to take address/mask, not interface.
Any ideas? I'm guessing I'm going to be stuck reverting to iptables vs. firewalld, and advice on switching Fedora 29 from firewalld to iptables and iptables command(s) to accomplish this rule would be welcome as well.
linux fedora iptables routing firewalld
linux fedora iptables routing firewalld
asked Jan 8 at 16:30
Adam JohnsonAdam Johnson
211
New contributor
Adam Johnson is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked Jan 8 at 16:30
Adam JohnsonAdam Johnson
211
New contributor
Adam Johnson is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked Jan 8 at 16:30
Adam JohnsonAdam Johnson
211
New contributor
Adam Johnson is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked Jan 8 at 16:30
Adam JohnsonAdam Johnson
211
asked Jan 8 at 16:30
Adam JohnsonAdam Johnson
211
211
New contributor
Adam Johnson is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Adam Johnson is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Adam Johnson is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Adam Johnson is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f493275%2ffirewalld-to-allow-routing-without-nat-between-nics%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Adam Johnson is a new contributor. Be nice, and check out our Code of Conduct.
Adam Johnson is a new contributor. Be nice, and check out our Code of Conduct.
Adam Johnson is a new contributor. Be nice, and check out our Code of Conduct.
Adam Johnson is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f493275%2ffirewalld-to-allow-routing-without-nat-between-nics%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
