Re: firewalld iptables rules
On Mon, Feb 24, 2020 at 10:12:28AM -0000, srinidhi krishnamurthy wrote:
Hi Team,
till last month we were using IPtables in our centos7 VM to do port
forwarding from 53 to 8600 ,we observed in some VM's iptables rules
were just vanishing not sure about exact reason behind , and were
ended updating iptable rules again , we suspected firewalld might be
erasing the rules provided in iptables
When firewalld starts or reloads it will issue a flush to all iptables
tables. So it's quite possible this is what you were experiencing.
so we added port forwarding rules in firewalld like below. after
adding firewall rules we were not able to access google cloud apis ,
like GCS Storage to store snapshots. when we disable the firewalld
service we are able to access the same.
Are you sure it was only traffic to GCS? I would guess all traffic was
affected.
can you please help us in below questions we have :
a. can we disable firewalld and use only iptables to do port forwarding , would there be
any issues
Sure, if that's what you want. Alternatively add the rules via firewalld
(like you show below), or add manually add them to iptables _after_
firewalld starts.
b. if we use firewalld instead of iptables , any rule to be applied
to access GCS bucket or google cloud api's.
Firewalld rules :
firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -p tcp --dport 53 -j
REDIRECT --to-ports 8600
firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -p udp --dport 53 -j
REDIRECT --to-ports 8600
firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 0 -p tcp
--dport 53 -j REDIRECT --to-ports 8600
firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 0 -p udp --dport 53 -j
REDIRECT --to-ports 8600
These OUTPUT rules are hijacking DNS requests and redirecting them to port
8600 on the localhost (i.e. the VM). If the VM doesn't have a DNS server
listening on 8600 then that definitely explains your traffic issues. GCS
won't resolve.