till last month we were using IPtables in our centos7 VM to do port forwarding from 53 to 8600 ,we observed in some VM's iptables rules were just vanishing not sure about exact reason behind , and were ended updating iptable rules again , we suspected firewalld might be erasing the rules provided in iptables , so we added port forwarding rules in firewalld like below. after adding firewall rules we were not able to access google cloud apis , like GCS Storage to store snapshots. when we disable the firewalld service we are able to access the same.
can you please help us in below questions we have :
a. can we disable firewalld and use only iptables to do port forwarding , would there be any issues
b. if we use firewalld instead of iptables , any rule to be applied to access GCS bucket or google cloud api's.
Firewalld rules :
firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -p tcp --dport 53 -j REDIRECT --to-ports 8600
firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -p udp --dport 53 -j REDIRECT --to-ports 8600
firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 0 -p tcp --dport 53 -j REDIRECT --to-ports 8600
firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 0 -p udp --dport 53 -j REDIRECT --to-ports 8600
I am setting up firewalld on CentOS 7 and an not yet familiar with the process for setting rules. I would like to blanket deny internet access for all applications and processes. I would then add specific whitelist access rules for a small number of applications that require access.
Can someone point me to a write up on how to set up rules like this?
I have a setup with three different zones: external, internal & dmz.
In the dmz i have a dns and in the internal i have a dhcp, these servers are setup with fixed address, another server is setup as router & with firewalld and this is connected to these 3 zones
When I activate firewalld, nslookup from DHCP is blocked by the firewall. I made a tracing with tcpdump at port 53. I can see that the signals is received by the firewall at the incomming site (internal zone) but it is not send out to the dmz.
(PS! If I change FirewallBackend from nftables to iptables then it will work as in CentOS 7)
Here are the rules that I use:
# Assigning interface to the zones
firewall-cmd --zone=external --change-interface=ens33
firewall-cmd --zone=internal --change-interface=ens37
firewall-cmd --zone=dmz --change-interface=ens38
# From the trusted zone (internal) allow trafik to DMZ
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ens37 -o ens38 -j ACCEPT # This rule does not work with nftables
# Only answer back is allowed from dmz
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ens38 -o ens37 -m state --state RELATED,ESTABLISHED -j ACCEPT
firewall-cmd --zone=dmz --add-service=mdns
firewall-cmd --zone=dmz --add-service=dns
and much more but it is not relevant here.