Converting IPTables rules to Firewalld
I'm working on setting up Cuckoo Sandbox and I have several IPTables rules that need to be converted to Firewalld rules.
Here's the reference page for the Cuckoo Sandbox install guide: http://docs.cuckoosandbox.org/en/latest/installation/guest/network/#virtual-networking
The 3 lines that I need to convert from IPTables format are (Subnet removed):
iptables -A FORWARD -o eth0 -i vboxnet0 -s 0.0.0.0/0 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE
I've made an attempt to convert the rules and implement them using firewall-cmd, and here are the three updated rules that I came up with:
firewall-cmd --permanent --direct --add-rule ipv4 -A FORWARD -o eth0 -i vboxnet0 -s 0.0.0.0/0 -m conntrack --ctstate NEW -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter POSTROUTING 0 -t nat -j MASQUERADE
However, when I attempt to add one of the above rules using sudo firewall-cmd I get a response that says:
wrong priority
usage: --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>
What am I doing wrong?
Thanks for any help!
Answer
It looks like you have just copied and pasted your iptables arguments to the back of an firewall-cmd command: that will not work. The error message is telling you that it is not finding what it expects after 'ipv4': table, chain, priority and args. You need something like:
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 9000 -j ACCEPT
You can add MASQUERADE in a couple of ways:
firewall-cmd --permanent --zone=external --add-masquerade
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -o eth1 -j MASQUERADE
Here is a good reference for getting started with firewalld: https://www.certdepot.net/rhel7-get-started-firewalld/