On Sun, May 19, 2019 at 09:51:03PM -0000, Joshua Kramer wrote:
Hello,
I'm having a bit of an odd issue with firewalld interfering with network routing.
Everything here is running CentOS 7; the physical host has kernel version
3.10.0-957.10.1.el7.x86_64. Here is what's going on:
1. I have a physical host, that has several KVM virtual machines. The physical host's
eno1 ethernet interface is on my 192.168.2 network. The .2 network is hard wired to other
devices and the internet at large via gigabit switch.
2. The physical host also has an interface and network internal to KVM, virbr2, which is
192.168.4 network and used for all of the VM's.
3. I have a VM which acts as a VPN server. It gives out addresses in the 192.168.8
network.
4. For clients in the 192.168.8 network, they can reach servers in the .4 network. Also,
servers in the .4 network are able to reach clients with open ports in the .8 network.
5. Clients in the .8 network can NOT reach other devices on the .2 network. Likewise,
things on the .2 network can NOT reach anything on the .8 network. The gateway for .8 is
properly configured in the physical host as the .4 address of the VPN server.
6. If I turn off firewalld on the physical host, then clients in the .8 network CAN reach
things in .2, and vice versa.
6.1. IP v4 forwarding is enabled in both the VPN VM and the physical host.
6.2. Enabling and/or disabling firewalld on the VPN VM does not change any of this
behavior.
7. I have tried to put both virbr0 and eth0 in the same network Zone in firewalld- the
"trusted" zone. I have also tried to put them in different zones and explicitly
configure firewalld. Nothing works.
To make matters more interesting, if I enable logging of dropped packets in firewalld, I
get nothing when I attempt to cross the networks... so I can't debug what's going
on.
I assume you mean you did this on the host?
# firewalld-cmd --set-log-denied=all
This should log any drops by common catch-all drop/reject rules.
What should my next course of action be?
You can try tcpdump at the various interfaces. That should at minimum
let you know where the traffic is getting dropped.