ホーム
製品
Red Hat Enterprise Linux
10
Configuring firewalls and packet filters
1.9. Configuring NAT by using firewalld

1.9. Configuring NAT by using firewalld

With firewalld, you can configure the masquerading, destination NAT (DNAT), and redirect NAT types. With NAT, you can modify the source or destination IP address.

1.9.1. Network address translation types
リンクのコピー

If you require network address translation (NAT) in your network, it is important to understand the NAT types.

These are the different NAT types:

Masquerading

Use this NAT type to change the source IP address of packets. For example, Internet Service Providers (ISPs) do not route private IP ranges, such as 10.0.0.0/8. If you use private IP ranges in your network and users should be able to reach servers on the internet, map the source IP address of packets from these ranges to a public IP address.

Masquerading automatically uses the IP address of the outgoing interface. Therefore, use masquerading if the outgoing interface uses a dynamic IP address.

Destination NAT (DNAT)

Use this NAT type to rewrite the destination address and port of incoming packets. For example, if your web server uses an IP address from a private IP range and is, therefore, not directly accessible from the internet, you can set a DNAT rule on the router to redirect incoming traffic to this server.

Redirect

This type is a special case of DNAT that redirects packets to a different port on the local machine. For example, if a service runs on a different port than its standard port, you can redirect incoming traffic from the standard port to this specific port.

1.9.2. Configuring IP address masquerading
リンクのコピー

You can enable IP masquerading on your system. IP masquerading hides individual machines behind a gateway when accessing the internet.

Procedure

To check if IP masquerading is enabled (for example, for the external zone), enter the following command as root:
```
# firewall-cmd --zone=external --query-masquerade
```
The command prints yes with exit status 0 if enabled. It prints no with exit status 1 otherwise. If zone is omitted, the default zone will be used.
To enable IP masquerading, enter the following command as root:
```
# firewall-cmd --zone=external --add-masquerade
```
To make this setting persistent, pass the --permanent option to the command.
To disable IP masquerading, enter the following command as root:
```
# firewall-cmd --zone=external --remove-masquerade
```
To make this setting permanent, pass the --permanent option to the command.

1.9.3. Using DNAT to forward incoming HTTP traffic
リンクのコピー

You can use destination network address translation (DNAT) to direct incoming traffic from one destination address and port to another. Typically, this is useful for redirecting incoming requests from an external network interface to specific internal servers or services.

Prerequisites

The firewalld service is running.

Procedure

Forward incoming HTTP traffic:
```
# firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toaddr=198.51.100.10:toport=8080 --permanent
```
The previous command defines a DNAT rule with the following settings:
- --zone=public - The firewall zone for which you configure the DNAT rule. You can adjust this to whatever zone you need.
- --add-forward-port - The option that indicates you are adding a port-forwarding rule.
- port=80 - The external destination port.
- proto=tcp - The protocol indicating that you forward TCP traffic.
- toaddr=198.51.100.10 - The destination IP address.
- toport=8080 - The destination port of the internal server.
- --permanent - The option that makes the DNAT rule persistent across reboots.
Reload the firewall configuration to apply the changes:
```
# firewall-cmd --reload
```

Verification

Verify the DNAT rule for the firewall zone that you used:

# firewall-cmd --list-forward-ports --zone=public
port=80:proto=tcp:toport=8080:toaddr=198.51.100.10

Alternatively, view the corresponding XML configuration file:

# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <service name="cockpit"/>
  <forward-port port="80" protocol="tcp" to-port="8080" to-addr="198.51.100.10"/>
  <forward/>
</zone>

1.9.4. Redirecting traffic from a non-standard port to make the web service accessible on a standard port
リンクのコピー

You can use the redirect mechanism to make the web service that internally runs on a non-standard port accessible without requiring users to specify the port in the URL.

If you use redirect, the URLs are simpler and provide better browsing experience, while a non-standard port is still used internally or for specific requirements.

Prerequisites

The firewalld service is running.

Procedure

Create the NAT redirect rule:
```
# firewall-cmd --zone=public --add-forward-port=port=<standard_port>:proto=tcp:toport=<non_standard_port> --permanent
```
The previous command defines the NAT redirect rule with the following settings:
- --zone=public - The firewall zone, for which you configure the rule. You can adjust this to whatever zone you need.
- --add-forward-port=port=<non_standard_port> - The option that indicates you are adding a port-forwarding (redirecting) rule with source port on which you initially receive the incoming traffic.
- proto=tcp - The protocol indicating that you redirect TCP traffic.
- toport=<standard_port> - The destination port, to which the incoming traffic should be redirected after being received on the source port.
- --permanent - The option that makes the rule persist across reboots.
Reload the firewall configuration to apply the changes:
```
# firewall-cmd --reload
```

Verification

Verify the redirect rule for the firewall zone that you used:

# firewall-cmd --list-forward-ports
port=8080:proto=tcp:toport=80:toaddr=

Alternatively, view the corresponding XML configuration file:

# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <service name="cockpit"/>
  <forward-port port="8080" protocol="tcp" to-port="80"/>
  <forward/>
</zone>

1.9. Configuring NAT by using firewalld

1.9.1. Network address translation types
リンクのコピー

1.9.2. Configuring IP address masquerading
リンクのコピー

1.9.3. Using DNAT to forward incoming HTTP traffic
リンクのコピー

1.9.4. Redirecting traffic from a non-standard port to make the web service accessible on a standard port
リンクのコピー

詳細情報

試用、購入および販売

コミュニティー

Red Hat ドキュメントについて

多様性を受け入れるオープンソースの強化

会社概要

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

1.9. Configuring NAT by using firewalld

1.9.1. Network address translation typesリンクのコピーリンクがクリップボードにコピーされました!

1.9.2. Configuring IP address masqueradingリンクのコピーリンクがクリップボードにコピーされました!

1.9.3. Using DNAT to forward incoming HTTP trafficリンクのコピーリンクがクリップボードにコピーされました!

1.9.4. Redirecting traffic from a non-standard port to make the web service accessible on a standard portリンクのコピーリンクがクリップボードにコピーされました!

詳細情報

試用、購入および販売

コミュニティー

Red Hat ドキュメントについて

多様性を受け入れるオープンソースの強化

会社概要

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

1.9.1. Network address translation types
リンクのコピー

1.9.2. Configuring IP address masquerading
リンクのコピー

1.9.3. Using DNAT to forward incoming HTTP traffic
リンクのコピー

1.9.4. Redirecting traffic from a non-standard port to make the web service accessible on a standard port
リンクのコピー