On Thu, Sep 10, 2020 at 06:06:26AM -0400, Gunnar Niels wrote:
> > So obviously something about disabling firewalld allows for the packet to pass
> > through the forward chain and hit the mangle POSTROUTING. It's completely
unclear
> > to me how to diagnose what might be going on here, any tips appreciated. I have
the
> > fully verbose outputs in this gist:
>
> Try adding the docker bridge to the "trusted" firewalld zone.
>
> # firewall-cmd --zone trusted --add-interface docker0
>
> docker (moby) very recently gained integration with firewalld [2].
Hey Eric, that seems to have perfectly resolved my problem! I'm confused because it
previously
worked until I started messing about with my other interfaces, creating a bridge and
assigning
it master to the physical NIC. I never really touched the docker0 interface, and adding
it to
trusted suddenly made it start working. My understanding are firewalld zones are INPUT
only?
Mostly true. There are exceptions:
- masquerade
- forward ports
- --set-target also sets the catch-all target for the FORWARD chain.
- this is why using the "trusted" zone above works
Could you elaborate on what traffic was getting blocked prefiously,
but by adding the
docker0 iface to the trusted zone, I had suddenly whitelisted it?
FORWARD traffic. See note above.