Firewalld - forwarding traffic received on eth1:0 to different IP than eth1

Question

I have the following two zones in firewalld:

  zone1 (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth1
  sources:
  services:
  ports: 80/tcp 443/tcp
  protocols:
  masquerade: yes
  forward-ports: port=80:proto=tcp:toport=80:toaddr=192.168.0.1       
        port=443:proto=tcp:toport=443:toaddr=192.168.0.1
  source-ports:
  icmp-blocks:
  rich rules:

zone2 (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth1:0
  sources:
  services:
  ports: 80/tcp 443/tcp
  protocols:
  masquerade: yes
  forward-ports: port=80:proto=tcp:toport=80:toaddr=192.168.0.2
        port=443:proto=tcp:toport=443:toaddr=192.168.0.2
  source-ports:
  icmp-blocks:
  rich rules:

eth1 is a real NIC at 172.16.1.1 eth1:0 is a virtual NIC at 172.16.1.2

on one physical machine.

They are set by

ifconfig eth1 172.16.1.1
ifconfig eth1:0 172.16.1.2

What I need is to be able to see the website on 192.168.0.1 when I hit 172.16.1.1 with a web browser, and the website on 192.168.0.2 when I hit 172.16.1.2 with a web browser.

E. g. I want to forward the traffic through ports 80 and 443 to 192.168.0.1 on eth1 (172.16.1.1) and 192.168.0.2 on eth1:0 (172.16.1.2).

With the above config, firewalld / iptables IGNORES eth1:0 - e. g. if I hit 172.16.1.1 I get the website on 192.168.0.1. BUT if I hit 172.16.1.2 I -still- get the website on 192.168.0.1, NOT 192.168.0.2

E. g. the virtual NIC eth1:0 appears to be equivalent to firewalld as eth1 - HTTP traffic on port 80 to either 172.16.1.1 (eth1) or 172.16.1.2 (eth1:0) all gets sent to 192.168.0.1, ignoring the forward rules set on eth1:0.

How can I get firewalld / iptables controlled by firewalld to

forward traffic received on :80 and :443 on 172.16.1.1 (eth1) to 192.168.0.1

and

forward traffic received on :80 and :443 on 172.16.1.2 (eth1:0) to 192.168.0.2

and not just forward all traffic on both 172.16.1.1 and 172.16.1.2 to 192.168.0.1?

Thx!

Answer 1

Ok this was solved by abandoning firewalld and using iptables:

These below commands allow me to do exactly what I need, e. g. a HTTP request to

172.16.1.1 - on eth0 172.16.1.2 - on eth1

gets forwarded to different machines on

192.168.0.1 192.168.0.2

depending on if 172.16.1.1 or 172.16.1.2 is hit with the HTTP request to port 80.

systemctl restart iptables
systemctl restart rsyslog
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

iptables -t nat -A PREROUTING -d 172.16.1.1 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.1:80
iptables -t nat -A POSTROUTING -p tcp -d 192.168.0.1 --dport 80 -j SNAT --to-source 172.16.1.1

iptables -t nat -A PREROUTING -d 172.16.1.2 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2:80
iptables -t nat -A POSTROUTING -p tcp -d 192.168.0.2 --dport 80 -j SNAT --to-source 172.16.1.2

The above code allows me to hit my "proxy" server on either its 172.16.1.1 or 172.16.1.2 NICs' IP addresses, and get the HTTP requests forwarded to 192.168.0.1 if 172.16.1.1 is hit, or to 192.168.0.2 if 172.16.1.2 is hit.

This is exactly what the ticket was for, so this is solved.

Regards

Stefan