On CentOS 7 with firewalld I have a box with numerous interfaces acting as a NAT gateway. This works but I noticed that it routes/forwards traffic not just from my internal zone to external zone but also between interfaces within the internal zone. How can I prevent that traffic?
I've tried adding direct and rich rules to deny the traffic but it doesn't work. Direct:
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -s 10.110.4.0/22 -d 10.110.0.0/22 -j REJECT
That command works, and I see it in `iptables -L` but traffic is still allowed. Rich:
# firewall-cmd --zone=trusted --add-rich-rule='rule family=ipv4 source address=10.110.4.0/22 destination address=10.110.0.0/22 reject' Error: INVALID_RULE: destination action
I can't find any explanation of what that error means. So, how do you tell firewalld to stop forwarding traffic between interfaces?
# firewall-cmd --get-active-zones public interfaces: ens161 ens193 trusted interfaces: ens192 ens224 ens256 lo
# firewall-cmd --list-all public (default, active) interfaces: ens161 ens193 sources: services: dhcpv6-client ssh ports: masquerade: yes forward-ports: icmp-blocks: rich rules: