ip6tables equivalent for NAT?
by Kenneth Porter
I finally got an ISP connection with working IPv6 and now I need to add
firewall rules for forwarding connections from my LAN to the WAN. I'm using
firewalld to handle the high-level description that gets translated to
iptables/ip6tables on CentOS 7.
Of course, with IPv6, one doesn't do NAT, so the usual masquerade target
doesn't make sense. But I want similar connection logic, with no inbound
connections allowed to LAN clients and all outbound connections allowed.
How does one express this in either firewalld or its ip6tables "direct
rules"?
I don't currently need port-forwarding to internal servers but, for
completeness, what would such rules look like?
3 years, 9 months
Confusing output from firewall-cmd
by Ed Greshko
I think the following is a "bug" even if it is just minor. This is on F32.
[root@meimei ~]# firewall-cmd --get-active-zone
libvirt
interfaces: virbr0
public
interfaces: wlp4s0 enp2s0
The following seems correct for enp2s0.
[egreshko@meimei ~]$ firewall-cmd --get-zone-of-interface=enp2s0
public
[root@meimei ~]# firewall-cmd --query-interface=enp2s0
yes
But then for virbr0
[root@meimei ~]# firewall-cmd --get-zone-of-interface=virbr0
libvirt
Seems fine, yet this is "no"
[root@meimei ~]# firewall-cmd --query-interface=virbr0
no
but
[root@meimei ~]# firewall-cmd --zone=libvirt --query-interface=virbr0
yes
To make matters more confusing to me.
[root@meimei ~]# firewall-cmd --list-interfaces
wlp4s0 enp2s0
Why isn't virbr0 listed when --get-active-zone shows that as an interface?
--
The key to getting good answers is to ask good questions.
3 years, 10 months
Cannot resolve outbound host on OpenVPN server
by Geoff Jankowski
I have two servers, both set up (bar names) identically. Both are on VPS, one uses the host dhcp setting for interfaces and dns, the other uses its own dns server and network interface settings.
I have duplicated iptables.up.rules on both server so I am reasonably confident that is not the issue. From my client Mac I can connect to both VPN servers. One works perfectly, the other does not as it stops all internet traffic with the occasional message (on whatsmyip for example) cannot resolve host.
I think my OpenVPN setup is fine and it is an underlying network issue causing the problem but I am not experienced enough to find or even understand it! So I am posting the problematic details to see if anyone can offer some guidance.
TO be clear, I did not generate these iptables. They were generated by firewalld or the server or both will some intervention by me, i.e., masquerading and I am not a firewall expert! I am happy to simplify them if it can be done but the most important item is to understand why it works on one server but not the other.
Ta.
1:*filter
2:INPUT_ZONES_SOURCE - [0:0]
3:FWDO_public - [0:0]
4:FORWARD ACCEPT [0:0]
5:INPUT_ZONES - [0:0]
6:OUTPUT_direct - [0:0]
7:FORWARD_IN_ZONES - [0:0]
8:FWDI_public - [0:0]
9:FORWARD_OUT_ZONES - [0:0]
10:INPUT_direct - [0:0]
11:FORWARD_IN_ZONES_SOURCE - [0:0]
12:INPUT ACCEPT [0:0]
13:FWDO_public_log - [0:0]
14:IN_public - [0:0]
15:FWDI_public_allow - [0:0]
16:FWDI_public_deny - [0:0]
17:FORWARD_OUT_ZONES_SOURCE - [0:0]
18:OUTPUT ACCEPT [0:0]
19:FWDO_public_deny - [0:0]
20:FWDO_public_allow - [0:0]
21:IN_public_log - [0:0]
22:IN_public_allow - [0:0]
23:FORWARD_direct - [0:0]
24:FWDI_public_log - [0:0]
25:IN_public_deny - [0:0]
26-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
27-A INPUT -i lo -j ACCEPT
28-A INPUT -j INPUT_direct
29-A INPUT -j INPUT_ZONES_SOURCE
30-A INPUT -j INPUT_ZONES
31-A INPUT -m conntrack --ctstate INVALID -j DROP
32-A INPUT -j REJECT --reject-with icmp-host-prohibited
33-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
34-A FORWARD -i lo -j ACCEPT
35-A FORWARD -j FORWARD_direct
36-A FORWARD -j FORWARD_IN_ZONES_SOURCE
37-A FORWARD -j FORWARD_IN_ZONES
38-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
39-A FORWARD -j FORWARD_OUT_ZONES
40-A FORWARD -m conntrack --ctstate INVALID -j DROP
41-A FORWARD -j REJECT --reject-with icmp-host-prohibited
42-A OUTPUT -j OUTPUT_direct
43-A INPUT_direct -p tcp -m multiport -m set -j REJECT --reject-with icmp-port-unreachable --dports 22 --match-set f2b-sshd src
44-A INPUT_direct -p tcp -m multiport -m set -j REJECT --reject-with icmp-port-unreachable --dports 10000 --match-set f2b-webmin-auth src
45-A INPUT_ZONES -i eth0 -g IN_public
46-A INPUT_ZONES -g IN_public
47-A FORWARD_IN_ZONES -i eth0 -g FWDI_public
48-A FORWARD_IN_ZONES -g FWDI_public
49-A FORWARD_OUT_ZONES -o eth0 -g FWDO_public
50-A FORWARD_OUT_ZONES -g FWDO_public
51-A IN_public -j IN_public_log
52-A IN_public -j IN_public_deny
53-A IN_public -j IN_public_allow
54-A IN_public -p icmp -j ACCEPT
55-A IN_public_allow -p tcp -m tcp -m conntrack --dport 22 --ctstate NEW,UNTRACKED -j ACCEPT
56-A IN_public_allow -p tcp -m tcp -m conntrack --dport 25 --ctstate NEW,UNTRACKED -j ACCEPT
57-A IN_public_allow -p tcp -m tcp -m conntrack --dport 465 --ctstate NEW,UNTRACKED -j ACCEPT
58-A IN_public_allow -p tcp -m tcp -m conntrack --dport 21 --ctstate NEW,UNTRACKED -j ACCEPT
59-A IN_public_allow -p tcp -m tcp -m conntrack --dport 110 --ctstate NEW,UNTRACKED -j ACCEPT
60-A IN_public_allow -p tcp -m tcp -m conntrack --dport 995 --ctstate NEW,UNTRACKED -j ACCEPT
61-A IN_public_allow -p tcp -m tcp -m conntrack --dport 143 --ctstate NEW,UNTRACKED -j ACCEPT
62-A IN_public_allow -p tcp -m tcp -m conntrack --dport 993 --ctstate NEW,UNTRACKED -j ACCEPT
63-A IN_public_allow -p tcp -m tcp -m conntrack --dport 80 --ctstate NEW,UNTRACKED -j ACCEPT
64-A IN_public_allow -p tcp -m tcp -m conntrack --dport 443 --ctstate NEW,UNTRACKED -j ACCEPT
65-A IN_public_allow -p udp -m udp -m conntrack --dport 1194 --ctstate NEW,UNTRACKED -j ACCEPT
66-A IN_public_allow -p tcp -m tcp -m conntrack --dport 587 --ctstate NEW,UNTRACKED -j ACCEPT
67-A IN_public_allow -p tcp -m tcp -m conntrack --dport 53 --ctstate NEW,UNTRACKED -j ACCEPT
68-A IN_public_allow -p tcp -m tcp -m conntrack --dport 20 --ctstate NEW,UNTRACKED -j ACCEPT
69-A IN_public_allow -p tcp -m tcp -m conntrack --dport 2222 --ctstate NEW,UNTRACKED -j ACCEPT
70-A IN_public_allow -p tcp -m tcp -m conntrack --dport 10000:10100 --ctstate NEW,UNTRACKED -j ACCEPT
71-A IN_public_allow -p tcp -m tcp -m conntrack --dport 20000 --ctstate NEW,UNTRACKED -j ACCEPT
72-A IN_public_allow -p udp -m udp -m conntrack --dport 53 --ctstate NEW,UNTRACKED -j ACCEPT
73-A FWDI_public -j FWDI_public_log
74-A FWDI_public -j FWDI_public_deny
75-A FWDI_public -j FWDI_public_allow
76-A FWDI_public -p icmp -j ACCEPT
77-A FWDO_public -j FWDO_public_log
78-A FWDO_public -j FWDO_public_deny
79-A FWDO_public -j FWDO_public_allow
80COMMIT
81*mangle
82:PREROUTING_ZONES_SOURCE - [0:0]
83:PRE_public - [0:0]
84:PRE_public_deny - [0:0]
85:INPUT_direct - [0:0]
86:FORWARD_direct - [0:0]
87:POSTROUTING_direct - [0:0]
88:PREROUTING_ZONES - [0:0]
89:OUTPUT_direct - [0:0]
90:OUTPUT ACCEPT [0:0]
91:PREROUTING_direct - [0:0]
92:POSTROUTING ACCEPT [0:0]
93:PRE_public_log - [0:0]
94:PREROUTING ACCEPT [0:0]
95:FORWARD ACCEPT [0:0]
96:PRE_public_allow - [0:0]
97:INPUT ACCEPT [0:0]
98-A PREROUTING -j PREROUTING_direct
99-A PREROUTING -j PREROUTING_ZONES_SOURCE
100-A PREROUTING -j PREROUTING_ZONES
101-A INPUT -j INPUT_direct
102-A FORWARD -j FORWARD_direct
103-A OUTPUT -j OUTPUT_direct
104-A POSTROUTING -j POSTROUTING_direct
105-A PREROUTING_ZONES -i eth0 -g PRE_public
106-A PREROUTING_ZONES -g PRE_public
107-A PRE_public -j PRE_public_log
108-A PRE_public -j PRE_public_deny
109-A PRE_public -j PRE_public_allow
110COMMIT
111*nat
112:POSTROUTING_direct - [0:0]
113:PREROUTING_direct - [0:0]
114:POST_public_allow - [0:0]
115:PRE_public_allow - [0:0]
116:POSTROUTING_ZONES_SOURCE - [0:0]
117:POSTROUTING ACCEPT [0:0]
118:INPUT ACCEPT [0:0]
119:PREROUTING_ZONES_SOURCE - [0:0]
120:POST_public_log - [0:0]
121:POST_public - [0:0]
122:OUTPUT ACCEPT [0:0]
123:PRE_public_log - [0:0]
124:PRE_public - [0:0]
125:PREROUTING ACCEPT [0:0]
126:PREROUTING_ZONES - [0:0]
127:POSTROUTING_ZONES - [0:0]
128:POST_public_deny - [0:0]
129:OUTPUT_direct - [0:0]
130:PRE_public_deny - [0:0]
131-A PREROUTING -j PREROUTING_direct
132-A PREROUTING -j PREROUTING_ZONES_SOURCE
133-A PREROUTING -j PREROUTING_ZONES
134-A POSTROUTING -j POSTROUTING_direct
135-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
136-A POSTROUTING -j POSTROUTING_ZONES
137-A POSTROUTING -s 10.10.0.0 -o eth0 -j MASQUERADE
138-A OUTPUT -j OUTPUT_direct
139-A PREROUTING_ZONES -i eth0 -g PRE_public
140-A PREROUTING_ZONES -g PRE_public
141-A POSTROUTING_ZONES -o eth0 -g POST_public
142-A POSTROUTING_ZONES -g POST_public
143-A PRE_public -j PRE_public_log
144-A PRE_public -j PRE_public_deny
145-A PRE_public -j PRE_public_allow
146-A POST_public -j POST_public_log
147-A POST_public -j POST_public_deny
148-A POST_public -j POST_public_allow
149COMMIT
3 years, 10 months
How i can create multicast traffic rule
by Andrey Grigoryev
Hello.
When I used Centos 7 with firewalld, i use this rule to allow multicast:
firewall-cmd -q --permanent --direct --add-rule ipv4 filter INPUT 1 -m pkttype --pkt-type multicast -j ACCEPT
But in Centos 8 firewalld uses nftables as backend and this rule doen't work.
I tried to create nftables rule to allow multicast:
nft add table inet mytable
nft add chain inet mytable INPUT {type filter hook input priority 5\; policy accept\;}
nft add rule inet mytable INPUT pkttype multicast counter accept
but it doen't work too, because firewalld rules, that performs after my table - reject this packets:
chain filter_INPUT {
type filter hook input priority 10; policy accept;
ct state established,related accept
ct status dnat accept
iifname "lo" accept
jump filter_INPUT_ZONES_SOURCE
jump filter_INPUT_ZONES
ct state invalid drop
reject with icmpx type admin-prohibited <---- this rule rejects my packets
}
How can i add permanent rule for multicast traffic via firewall-cmd or via nftables ?
3 years, 10 months
NAT Issues - CentOS 8.1 - Firewalld 0.7.0_5
by Amarand Agasi
Recently, my Firewalld updated to 0.7.0_5, likely when I upgraded from CentOS 8.0 to 8.1.
Everything was working fine since I started using Firewalld under CentOS 7, I believe.
For the past few weeks, I was having issues on my network with connecting to services like Facebook and Apple. I could get to the main https page, but when it would try to pull another page (like Facebook has its content page, or Apple has its SSO page), browsers would just spin.
I had a test laptop which I could reproduce the issue on, and when I plugged it directly into the cable modem, the issue went away.
So, we know it's the firewall/configuration.
I've spent about a week working on this, posted a post over in CentOS forum, even opened a bug report:
https://forums.centos.org/viewtopic.php?f=56&t=74241
https://bugs.centos.org/view.php?id=17310
To summarize the the data:
After enabling the logging in firewalld, the firewall is blocking a lot of items it shouldn't be:
1) All of the Internal devices should have free access to the server.
2) All of the Internal devices should have full access to the Internet.
3) Once a connection is established between the Internal system and an External (Internet) system, those related packets should be accepted.
4) All external traffic (besides a very specific rule allowing ssh from one class-C Internet subnet, and http/https) should be blocked.
What I'm looking for is, with every other previous iteration of Red Hat and CentOS, I've been able to locate good examples of how to configure NAT and masquerade. A basic home router. ipchains, iptables, firewall builder, and now, nftables and firewalld. But I can't find a good "how to" on how to properly set-up nftables and firewalld.
I love firewalld's management, both commandline and GUI (with firewall-config), but right now, things are broken.
Initially, I suspected it was either an issue with helpers (AutomaticHelpers), or an issue with the AllowZoneDrifting that just changed, seeing as it's blocking return packets.
But it's also blocking some internal packets as well (which it shouldn't be), as well as mutlicast internal, and some other weird stuff.
Is there something I'm missing?
I've spent the entire week banging my head against this, clearing out firewalld rules, rebooting, starting from scratch again, making it possibly worse. I'm not sure. I'd love some help, though.
Thanks!
3 years, 10 months