我一直在 Google 上搜索,尝试将我用于某些 wireguard 规则的 iptables 脚本转换为本机的firewalld 规则,因为我读过的有关 iptables 的所有文档都表明:
- iptables 已被弃用(并且已经有一段时间了),并且如果不在每次启动时或在运行时使用 bash 脚本重新插入规则,规则在重启后将不会保留。
- 如果使用firewalld,nftables 也不会持久
- 无论如何,短暂的规则从一开始就不是那么有趣。
在我看来,firewalld 0.9.3 可能具有执行 iptables(又称直接规则)所执行的操作的功能,但在 google 搜索中找到的文档似乎相互矛盾或过于简洁,我无法理解。由于我想在本机使用 firewalld,因此需要将以下脚本中的直接规则转换为丰富规则,但我不知道如何完成此操作,因为大多数教程甚至还没有使用较新的方法。
我要转换的 iptables 脚本是这里。下面是我使用本机防火墙语法编写的可行 bash 脚本;我遇到的问题在于直接规则。如何将下面的 3 条直接规则转换为本机丰富规则?
#!/bin/bash
set -x
# set up install and uninstall directives
ADDREMOVE='--add'
if [[ "$1" == "down" ]]; then
ADDREMOVE='--remove'
fi
# Public wireguard port
wg_listen_port=51820
# SET WIREGUARD INTERFACE NAME
wg=wg0
# Local private ip
ip4_localip=10.0.0.11
# SET PUBLIC IP INTERFACE NAME
ni=enp0s3
# wireguard subnet vars
ip4_wg_subnet=10.20.100
ip4_wg_source=$ip4_wg_subnet.10
ip4_wg_dest=$ip4_wg_subnet.11
# Add service ports to public zone
PUBLICSERVICES='http https imap imaps pop3 pop3s smtp smtps smtp-submission docker-registry'
for ENUM in $PUBLICSERVICES
do
sudo firewall-cmd --zone=public $ADDREMOVE-service="$ENUM"
sudo firewall-cmd --permanent --zone=public $ADDREMOVE-service="$ENUM"
done
# Set wireguard public zone listen port
sudo firewall-cmd --zone=public $ADDREMOVE-port=$wg_listen_port/udp
sudo firewall-cmd --permanent --zone=public $ADDREMOVE-port=$wg_listen_port/udp
# Enable masquerade on the public zone
sudo firewall-cmd --zone=public $ADDREMOVE-masquerade
sudo firewall-cmd --permanent --zone=public $ADDREMOVE-masquerade
# Add the wireguard interface to the trusted zone
sudo firewall-cmd --zone=trusted $ADDREMOVE-interface=$wg
sudo firewall-cmd --permanent --zone=trusted $ADDREMOVE-interface=$wg
# Add the wireguard subnet as a trusted zone source
sudo firewall-cmd --zone=trusted $ADDREMOVE-source=$ip4_wg_subnet.0/24
sudo firewall-cmd --permanent --zone=trusted $ADDREMOVE-source=$ip4_wg_subnet.0/24
# Enable masquerade on the trusted zone
sudo firewall-cmd --zone=trusted $ADDREMOVE-masquerade
sudo firewall-cmd --permanent --zone=trusted $ADDREMOVE-masquerade
# Set the wireguard source and destination SNAT target to the host ip
sudo firewall-cmd --direct $ADDREMOVE-rule ipv4 nat POSTROUTING 0 -s $ip4_wg_subnet.0/24 ! -d $ip4_wg_subnet.0/24 -j SNAT --to "$ip4_localip"
sudo firewall-cmd --permanent --direct $ADDREMOVE-rule ipv4 nat POSTROUTING 0 -s $ip4_wg_subnet.0/24 ! -d $ip4_wg_subnet.0/24 -j SNAT --to "$ip4_localip"
# Mail services forwarding rules
FORWARD_PORTS="25 110 143 465 587 993 995 4190"
for ENUM in $FORWARD_PORTS
do
# Allow host traffic to specified ports on the wireguard subnet.
sudo firewall-cmd --zone=trusted $ADDREMOVE-rich-rule='rule family=ipv4 source address='$ip4_localip'/32 destination address='$ip4_wg_subnet'.0/24 port port='$ENUM' protocol=tcp accept'
sudo firewall-cmd --permanent --zone=trusted $ADDREMOVE-rich-rule='rule family=ipv4 source address='$ip4_localip'/32 destination address='$ip4_wg_subnet'.0/24 port port='$ENUM' protocol=tcp accept'
# Forward traffic from public interface to destination address on specified ports
sudo firewall-cmd --direct $ADDREMOVE-rule ipv4 nat PREROUTING 0 -i $ni -p tcp --dport $ENUM -j DNAT --to-destination $ip4_wg_dest
sudo firewall-cmd --permanent --direct $ADDREMOVE-rule ipv4 nat PREROUTING 0 -i $ni -p tcp --dport $ENUM -j DNAT --to-destination $ip4_wg_dest
# Forward traffic from wireguard interface to source address on specified ports
sudo firewall-cmd --direct $ADDREMOVE-rule ipv4 nat POSTROUTING 0 -o $wg -p tcp --dport $ENUM -d $ip4_wg_dest -j SNAT --to-source $ip4_wg_source
sudo firewall-cmd --permanent --direct $ADDREMOVE-rule ipv4 nat POSTROUTING 0 -o $wg -p tcp --dport $ENUM -d $ip4_wg_dest -j SNAT --to-source $ip4_wg_source
done