Centos 7 Router & firewalld
After much digging and keyboard smashing, I found that the following direct rich rules on the FORWARD chain will enable a successful ssh connection. Someone wiser may be able to provide a more elegant solution.
sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ens224 -o ens192 -p tcp --sport 22 -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ens192 -o ens224 -p tcp --dport 22 -j ACCEPT
The importance of this post/question cannot be overestimated. In fact, this situation arises generically in a setup where we have a private (NAT-ed) network behind a linux router, where, some of the machines in the private network have been assigned public IP addesses.
In other words, we have:
[pc's with local 10.0.0.0/24, and some public 20.0.0.0/24] > --- [router with 10... and 20... address on internal side]---WAN
The "internal" interface ens224 of the router (of the OP) has thus two ip's, say 10.0.0.1 and 20.0.0.1. Now, having masquerade: yeson the egress of ens192 is inconvenient, as it would mask the true origin of the packets coming from public IP's of the interfaces with 20.0.0.0/24 addresses, and can be replaced by a direct rule of the sort:
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.0.0.0/24 -j MASQUERADE,
but what is central to the question is the point, that once we enable firewalld it starts to act as... well... a firewall. That is, it will inspect all ens192-inbound and all ens224-inbound packets. In the absence of direct rules, as indicated by the accepted answer, the packets are rejected with a verbose explaination (CentOS 7):
- on the router (
tcpdump)ICMP host 20.0.0.2 unreachable - admin prohibited, - on the external peer (
telnet 20.0.0.2 22)Unable to connect to remote host: No route to host,
Unless somebody comes up with a better rule, the solution provided by the OP seems the most elegant one, but is very detailed indeed:
- all traffic to chosen ports in the internal network must explicitly be allowed by direct rules of the sort:
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ens192 -o ens224 -p tcp --dport 22 -j ACCEPT,firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ens192 -o ens224 -p tcp --dport 80 -j ACCEPT(etc) - all traffic outbound from the internal network (in my case, from the
20.0.0.0/24network), must explicitly be allowed; here I'm usingfirewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ens224 -j ACCEPT
What we (or at least I am) missing here is a possibility to define an IP-range based "zone" with a chance to pass egress traffic only destined to selected ports. I don't know if this is at all possible with firewalld.