My host network interface has got two IPs. Currently, I'm running my VMs in a routed network.
Host's network interface is a member of public zone in firewalld, with both forward and masquerade enabled.
With the setup described before, the VM is able to connect to the Internet and I can add port forwardings to VM with firewalld's --add-forward-port.
However, now I want to change one of my VMs' outlet IP (the IP that masqueraded to) to another IP that available in my host's network interface.
I've tried to add a SNAT rule to my nftables since firewalld doesn't support it. The command I used was nft add rule nat POSTROUTING snat to ip saddr map { <VM's IP> : <public ip> }, this causes the VM disconnected from the Internet but still be able to connect with port forwarding set in firewalld.
I searched Google about this and didn't find much information about this.
Here are some configurations.
The default public IP is redacted to 10.0.0.1, and the secondary public IP is redacted to 10.0.0.2.
The VM 1's NAT IP is redacted to 192.168.122.1, and the VM 2's NAT IP is redacted to 192.168.122.2.
FirewallD
libvirt (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: virbr0
sources:
services: custom--ms-wbt-server-ms-wbt-server dhcp dhcpv6 dns ssh tftp
ports:
protocols: icmp ipv6-icmp
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule priority="32767" reject
public (active)
target: default
icmp-block-inversion: no
interfaces: enp1s0f0
sources:
services: cockpit dhcpv6-client libvirt libvirt-tls mdns ssh steam-streaming vnc-server
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" destination address="10.0.0.2" forward-port port="33412" protocol="tcp" to-port="3389" to-addr="192.168.122.2" # another public ip is the ip that i want to change to
rule family="ipv4" destination address="10.0.0.1" forward-port port="33411" protocol="udp" to-port="3389" to-addr="192.168.122.1" # default public ip is the default outlet ip
rule family="ipv4" destination address="10.0.0.1" forward-port port="33411" protocol="tcp" to-port="3389" to-addr="192.168.122.1"
rule family="ipv4" destination address="10.0.0.2" forward-port port="33412" protocol="udp" to-port="3389" to-addr="192.168.122.2"
virsh
<network connections='2'>
<name>default</name>
<uuid>(network uuid)</uuid>
<forward mode='route'/>
<bridge name='virbr0' stp='on' delay='0'/>
<mac address='<mac address>'/>
<ip address='192.168.122.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.122.2' end='192.168.122.254'/>
</dhcp>
</ip>
</network>
ip addr
enp1s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether <mac address> brd ff:ff:ff:ff:ff:ff
inet 10.0.0.1/24 brd <broadcast addr> scope global noprefixroute enp1s0f0
valid_lft forever preferred_lft forever
inet 10.0.0.2/25 brd <broadcast addr> scope global noprefixroute enp1s0f0
valid_lft forever preferred_lft forever
ip route
default via <default public ip gateway> dev enp1s0f0 proto static metric 100
<default public ip subnet> dev enp1s0f0 proto kernel scope link src 10.0.0.1 metric 100
<secondary public ip subnet> dev enp1s0f0 proto kernel scope link src 10.0.0.2 metric 100
<virsh network subnet> dev virbr0 proto kernel scope link src 192.168.122.1
My server is running Fedora 37 with firewalld 1.2.2 and nftables 1.0.4.
