On CentOS 7 with firewalld I have a box with numerous interfaces acting
as a NAT gateway. This works but I noticed that it routes/forwards
traffic not just from my internal zone to external zone but also between
interfaces within the internal zone. How can I prevent that traffic?
I've tried adding direct and rich rules to deny the traffic but it
doesn't work. Direct:
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -s 10.110.4.0/22 -d
10.110.0.0/22 -j REJECT
That command works, and I see it in `iptables -L` but traffic is still
allowed. Rich:
# firewall-cmd --zone=trusted --add-rich-rule='rule family=ipv4 source
address=10.110.4.0/22 destination address=10.110.0.0/22 reject'
Error: INVALID_RULE: destination action
I can't find any explanation of what that error means. So, how do you
tell firewalld to stop forwarding traffic between interfaces?
# firewall-cmd --get-active-zones
public
interfaces: ens161 ens193
trusted
interfaces: ens192 ens224 ens256 lo
# firewall-cmd --list-all
public (default, active)
interfaces: ens161 ens193
sources:
services: dhcpv6-client ssh
ports:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
--
Jeff White
HPC Systems Engineer
Information Technology Services - WSU
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
