firewalld to allow routing without NAT between NICs












0















As a network adminstrator, I often have to set up network gear for remote sites before shipping it.



I have found it convenient to use a linux workstation with two network cards, setting the secondary NIC to an IP address in the same subnet as the equipment I'm setting up will use in the remote site.



company network--(eth0)-- fedora --(eth1)--- config network



I've enabled routing through the workstation, and can add routes to the new subnet pointing at the linux workstation's primary NIC and can ping through the workstation to the network gear I'm setting up, but tcp connections don't get through without shutting down firewalld.



I've looked in the gui and searched around for how to add a rule allowing any traffic destined to the configuration network NIC's device name, but all the entries I find want to NAT/Masquerade the inside network to the outside, and I don't want to do that - I occasionally need to allow access to the config network to co-workers at other sites, so masquerading would not be useful



Also, the IP addresses of the config network are usually different for each device or set of devices I'm setting up, which is why I was hoping to find a way to set the rule by interface name vs. IP addresses.



Firewalld's Rich Rules has a Destination field, but it only seems to take address/mask, not interface.



Any ideas? I'm guessing I'm going to be stuck reverting to iptables vs. firewalld, and advice on switching Fedora 29 from firewalld to iptables and iptables command(s) to accomplish this rule would be welcome as well.










share|improve this question







New contributor




Adam Johnson is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

























    0















    As a network adminstrator, I often have to set up network gear for remote sites before shipping it.



    I have found it convenient to use a linux workstation with two network cards, setting the secondary NIC to an IP address in the same subnet as the equipment I'm setting up will use in the remote site.



    company network--(eth0)-- fedora --(eth1)--- config network



    I've enabled routing through the workstation, and can add routes to the new subnet pointing at the linux workstation's primary NIC and can ping through the workstation to the network gear I'm setting up, but tcp connections don't get through without shutting down firewalld.



    I've looked in the gui and searched around for how to add a rule allowing any traffic destined to the configuration network NIC's device name, but all the entries I find want to NAT/Masquerade the inside network to the outside, and I don't want to do that - I occasionally need to allow access to the config network to co-workers at other sites, so masquerading would not be useful



    Also, the IP addresses of the config network are usually different for each device or set of devices I'm setting up, which is why I was hoping to find a way to set the rule by interface name vs. IP addresses.



    Firewalld's Rich Rules has a Destination field, but it only seems to take address/mask, not interface.



    Any ideas? I'm guessing I'm going to be stuck reverting to iptables vs. firewalld, and advice on switching Fedora 29 from firewalld to iptables and iptables command(s) to accomplish this rule would be welcome as well.










    share|improve this question







    New contributor




    Adam Johnson is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.























      0












      0








      0








      As a network adminstrator, I often have to set up network gear for remote sites before shipping it.



      I have found it convenient to use a linux workstation with two network cards, setting the secondary NIC to an IP address in the same subnet as the equipment I'm setting up will use in the remote site.



      company network--(eth0)-- fedora --(eth1)--- config network



      I've enabled routing through the workstation, and can add routes to the new subnet pointing at the linux workstation's primary NIC and can ping through the workstation to the network gear I'm setting up, but tcp connections don't get through without shutting down firewalld.



      I've looked in the gui and searched around for how to add a rule allowing any traffic destined to the configuration network NIC's device name, but all the entries I find want to NAT/Masquerade the inside network to the outside, and I don't want to do that - I occasionally need to allow access to the config network to co-workers at other sites, so masquerading would not be useful



      Also, the IP addresses of the config network are usually different for each device or set of devices I'm setting up, which is why I was hoping to find a way to set the rule by interface name vs. IP addresses.



      Firewalld's Rich Rules has a Destination field, but it only seems to take address/mask, not interface.



      Any ideas? I'm guessing I'm going to be stuck reverting to iptables vs. firewalld, and advice on switching Fedora 29 from firewalld to iptables and iptables command(s) to accomplish this rule would be welcome as well.










      share|improve this question







      New contributor




      Adam Johnson is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.












      As a network adminstrator, I often have to set up network gear for remote sites before shipping it.



      I have found it convenient to use a linux workstation with two network cards, setting the secondary NIC to an IP address in the same subnet as the equipment I'm setting up will use in the remote site.



      company network--(eth0)-- fedora --(eth1)--- config network



      I've enabled routing through the workstation, and can add routes to the new subnet pointing at the linux workstation's primary NIC and can ping through the workstation to the network gear I'm setting up, but tcp connections don't get through without shutting down firewalld.



      I've looked in the gui and searched around for how to add a rule allowing any traffic destined to the configuration network NIC's device name, but all the entries I find want to NAT/Masquerade the inside network to the outside, and I don't want to do that - I occasionally need to allow access to the config network to co-workers at other sites, so masquerading would not be useful



      Also, the IP addresses of the config network are usually different for each device or set of devices I'm setting up, which is why I was hoping to find a way to set the rule by interface name vs. IP addresses.



      Firewalld's Rich Rules has a Destination field, but it only seems to take address/mask, not interface.



      Any ideas? I'm guessing I'm going to be stuck reverting to iptables vs. firewalld, and advice on switching Fedora 29 from firewalld to iptables and iptables command(s) to accomplish this rule would be welcome as well.







      linux fedora iptables routing firewalld






      share|improve this question







      New contributor




      Adam Johnson is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question







      New contributor




      Adam Johnson is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question






      New contributor




      Adam Johnson is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked Jan 8 at 16:30









      Adam JohnsonAdam Johnson

      211




      211




      New contributor




      Adam Johnson is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      Adam Johnson is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      Adam Johnson is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






















          0






          active

          oldest

          votes











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "106"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });






          Adam Johnson is a new contributor. Be nice, and check out our Code of Conduct.










          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f493275%2ffirewalld-to-allow-routing-without-nat-between-nics%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          Adam Johnson is a new contributor. Be nice, and check out our Code of Conduct.










          draft saved

          draft discarded


















          Adam Johnson is a new contributor. Be nice, and check out our Code of Conduct.













          Adam Johnson is a new contributor. Be nice, and check out our Code of Conduct.












          Adam Johnson is a new contributor. Be nice, and check out our Code of Conduct.
















          Thanks for contributing an answer to Unix & Linux Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f493275%2ffirewalld-to-allow-routing-without-nat-between-nics%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          How to make a Squid Proxy server?

          Is this a new Fibonacci Identity?

          19世紀