Description
What would you like to be added
Instead of masquerade I need the source-nat functionality, and of course also destination-nat. Maybe something like <snat to-source="IP Address" /> inside a policy would be nice, and
Why is this needed
I don't want to Masquerade the traffic to the ip address of the outgoing interface. Instead the traffic should be sourced to another public IP. In my case it is required to forward the traffic on the router from the different internal sub-networks to the internet, where all hosts of a subnet should appear with their own public IPv4 address. Also the other way round should be possible: incoming traffic is forwarded to the right subnet depending on the used destination address. Therefore I also need DNAT.
Here an example of my old setup with iptable rules: All packets from the 10.1.0.0/16 subnet (subnet_c interface) that are forwarded to the router interface are source nated to 212.51.145.61. All incoming packets with destination 212.51.145.61 are destination nated to a default host inside the 10.1.0.0/16 subnet. In this case it is 10.1.1.1.
iptables -t nat -A NET_ROUTER_POSTROUTING -o router -s 10.1.0.0/16 -j SNAT --to-source 212.51.145.61
iptables -t nat -A NET_ROUTER_PREROUTING -i router -d 212.51.145.61 -j DNAT --to-destination 10.1.1.1
In the new firewalld setup, router is in the external zone and 10.1.0.0/16 is in the subnet_c zone
<zone
...
<interface name="router"/>
<rule family="ipv4">
<destination address="212.51.145.61"/>
<dnat to-destination="10.1.1.1"/>
</rule>
</zone>
<zone
...
<interface name="subnet_c"/>
<rule family="ipv4">
<source address="10.1.0.0/16"/>
<snat to-source="212.51.145.61"/>
</rule>
</zone>
or with a policy
<policy target="CONTINUE">
<ingress-zone name="subnet_c"/>
<egress-zone name="router"/>
<snat to-source="212.51.145.61"/>
</policy>