-1

for various reasons I have had to adopt CentOS 7 as a public facing firewall machine implementing NAT and a few other bits and pieces.

Seems easy enough.

My basic strategy is to assign the outside interface to the "Drop" zone for max security and the inside interface to the "Internal" zone in firewalld, I then add masquerade to the Drop zone and NAT appears to work from Inside->Outside (Internal->Drop) just fine.

However, I have not yet found a way to block certain ports from translating from in->out, or in other words; I cannot find an elegant (or even working way) to stop firewalld from translation based on destination port for the trusted network. So my goal would be to say, do not masquerade outbound port 100/tcp (example).

Is there a way to do this? Or am I going about this all wrong?

ValidUserName
  • 1
  • 1

1 Answers1

1

firewalld current masquerading support is relatively basic. For what you want to achieve, you need to use either direct rules or rich rules. The argument is quite complex, and I am not sure a single answer can cover all cases.

So let me point you in the right direction: give a look here, here and here

shodanshok
  • 47,711
  • 7
  • 111
  • 180