Managing Internal and External networks using firewall-cmd on CentOS-7 and Rocky Linux 8


Compute Nodes in an HPC environment are usually physically isolated from the public network and has to route through the gateway which are often found in Head Node or any delegated Node in small or small-medium size cluster to access the internet or to access company LAN to access LDAP, you can use the firewall-cmd to route the traffic through the interconnect facing the internet.


Traffic will be routed through the Head Node’s eno1 (internet facing) from the Head Node’s eno2 (private network). The interconnect eno1 is attached to a switch where the compute nodes are similarly attached. Some

  1. is the private network subnet.
  2. is the IP Address of the Head Node
  3. is the IP Address of the external-facing ethernet ie eno1

Check the zones.

# firewall-cmd --list-all-zones

Check the Active Zones

# firewall-cmd --get-active-zones
  interfaces: eno2
  interfaces: eno1

Enable masquerade at the Head Node’s External Zone

IP masquerading is a process where one computer acts as an IP gateway for a network. For masquerading, the gateway dynamically looks up the IP of the outgoing interface all the time and replaces the source address in the packets with this address.

You use masquerading if the IP of the outgoing interface can change. A typical use case for masquerading is if a router replaces the private IP addresses, which are not routed on the internet, with the public dynamic IP address of the outgoing interface on the router.

For more information. Do take a look at 5.10. Configuring IP Address Masquerading

# firewall-cmd --zone=external --query-masquerade 
# firewall-cmd --zone=external --add-masquerade --permanent
# firewall-cmd --reload

Compute Nodes at the Private Network 

(Assuming that eno1 is connected to the private switch). It is very important that you input the gateway at the compute node’s /etc/sysconfig/network-scripts/ifcfg-eno1)

IPADDR= #Internal IP Address of the Compute Node
GATEWAY= #Internal IP Address of the Head Node

Configure the Head Node’s External Zone.

There are three options – defaultACCEPTREJECT, and DROP. By setting the target to ACCEPT, you accept all incoming packets except those disabled by a specific rule. If you set the target to REJECT or DROP, you disable all incoming packets except those that you have allowed in specific rules. When packets are rejected, the source machine is informed about the rejection, while there is no information sent when the packets are dropped. 5.7.8. Using Zone Targets to Set Default Behavior for Incoming Traffic

# firewall-cmd --zone=external --set-target=default

You can configure other settings. For the External Zone. For example, add SSH Service, mDNS

# firewall-cmd --permanent --zone=external --add-service=ssh
# firewall-cmd --permanent --zone=external --add-service=mdns
# firewall-cmd --runtime-to-permanent
# firewall-cmd --reload

It is possible to define different sets of rules for different zones and then change the settings quickly by changing the zone for the interface that is being used. With multiple interfaces, a specific zone can be set for each of them to distinguish traffic that is coming through them. 51.6.4. Assigning a network interface to a zone

# firewall-cmd --zone=external --change-interface=eno2 --permanent

Configure the Head Node’s Internal Zone.

You can use the same firewall-cmd to configure the below configuration if you need the services.

# firewall-cmd --zone=trusted --list-all
trusted (active)
  target: default
  icmp-block-inversion: no
  interfaces: ib1 enp6s0f3
  services: dhcpv6-client ssh nfs mountd rpc-bind http https tftp
  ports: 15001-15007/tcp 15001-15007/udp 
  masquerade: no
  rich rules:

Check the Firewall Status

systemctl status firewalld.service