so my setup is following:
A: PrivIP: 172.16.1.1 PublicIP: 212.1.2.3
B: PrivIP: 10.123.0.1 (Interface: dummyip, dont ask why I named it like that) PublicIP: 213.1.2.3 (Interface: eth0)
They both are connected via StrongSwan VPN. And now the problem - I have also activated firewalld (and its using nftables I recognized).
If I ping from B (10.123.0.1) to A (172.16.0.1) with active firewalld its not working because its SNATing. If I deactivate it its working.
Conntracker looks like that with active firewalld:
[NEW] icmp 1 30 src=10.123.0.1 dst=172.16.1.1 type=8 code=0 id=54 [UNREPLIED] src=172.16.1.1 dst=213.1.2.3 type=0 code=0 id=54
And if I deactivate it the conntracker, logically with conntrack -E -n is showing nothing because no nat is happening and all is working.
Im not a Linux specialist, so if anything is missing just ask, and I will provide you the information.
Thank you very much!
EDIT: I found out how to solve it, but can not make it permanent. In the public zone in nft inet firewalld I made following:
nft replace rule inet firewalld nat_POST_public_allow handle 186 meta nfproto ipv4 oifname != "lo" ip saddr != 10.123.0.0/24 masquerade
Now I just dont know how to solve the problem to make it persistent after restarting firewalld. I thought about a script?