Firewalld Forwarding Functionality with Wireguard
Solution 1:
From your previous UFW question, sounds like you're using WireGuard for two purposes?: 1) forward traffic from a WireGuard client of your VPS out to the Internet, and 2) forward a few public ports from your VPS back to the WireGuard client. You need masquerading (aka SNAT) for 1) and port forwarding (aka DNAT) for 2).
The simplest way to set this up with firewalld is to bind your VPS's public Ethernet interface (eth0
in your case) to firewalld's predefined external
zone, and your VPS's WireGuard interface (wg0
in your case) to firewalld's predefined internal
zone. The external
zone comes preconfigured with masquerading enabled; and both zones also come preconfigured to accept SSH and a few other services.
First open your VPS's WireGuard listen port (49503
in your case) on the external
zone:
$ sudo firewall-cmd --zone=external --add-port=49503/udp
And forward port TCP 56000
on the external
zone to the same port on 10.66.66.2
:
$ sudo firewall-cmd --zone=external --add-forward-port='port=56000:proto=tcp:toaddr=10.66.66.2'
Then bind eth0
to the external
zone (which applies firewalld's configuration for the external
zone to all eth0
connections):
$ sudo firewall-cmd --zone=external --add-interface=eth0
And bind wg0
to the internal
zone:
$ sudo firewall-cmd --zone=internal --add-interface=wg0
Check your active zones:
$ sudo firewall-cmd --get-active-zones
external
interfaces: eth0
internal
interfaces: wg0
And check the configuration of your external
zone:
$ sudo firewall-cmd --info-zone=external
external (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh
ports: 49503/udp
protocols:
masquerade: yes
forward-ports: port=56000:proto=tcp:toaddr=10.66.66.2
source-ports:
icmp-blocks:
rich rules:
If everything's working correctly, save your current firewalld settings:
$ sudo firewall-cmd --runtime-to-permanent