On 2020-06-25 22:21, Eric Garver wrote:
On Thu, Jun 25, 2020 at 08:02:33AM +0800, Ed Greshko wrote:
> On 2020-06-24 22:34, Eric Garver wrote:
>> On Thu, Jun 18, 2020 at 05:47:21AM +0800, Ed Greshko wrote:
>>> On 2020-06-18 04:32, Eric Garver wrote:
>> [..]
>>> Even that wouldn't explain why, with the middle system 3 interfaces being
192.168.122.1/192.168.1.18/192.168.2.127ÃÂ I can't ssh to 192.168.1.142 from 2.116
with the FW up.
>> The 192.168.1.0/24 network wasn't shown in your diagram. If it's part of
the "public" zone, then that makes sense. firewalld will block the forwarded
traffic. The next firewalld feature release has a new feature to allow intra zone
forwarding [1].
> Yes, I didn't put that network in the diagram since it seemed to me irrelevant to
the initial problem/question.
>
> I can see how the new feature would affect an ssh from .2.116 to .1.142 since both
enp2s0 and wlp4s0
> are both in the public zone.
>
> [egreshko@meimei ~]$ sudo firewall-cmd --get-active-zones
> libvirt
> Â interfaces: virbr0
> public
> Â interfaces: enp2s0 wlp4s0
>
> But, the original problem I'm trying to resolve is ssh (or any traffic) from
.2.116 to .122.152 which would
> be between the public and libvirt zones.
Right. And we already diagnosed that. libvirt's rules are dropping the
packets, not firewalld.
>> Seems like you have two issues here:
>>
>> Â 1) libvirt's iptables rules are blocking public --> VM traffic
>> Â Â Â - this must be addressed via libvirt
> But, I get no log messages when I set --set-log-denied=all. Shouldn't those be
logged?
No. Because firewalld is not the one dropping the packets here. libvirt
is the one dropping. firewalld can't influence libvirt's rules.
Sorry, I must be missing something. When you say "libvirt's rules"
aren't they the rules of the libvirt zone?
They can't be "adjusted" with the usual firewall-cmd commands?
Also, wouldn't one expect the rules to be the same for IPv4 and IPv6? Hope the
network diagram attachment
makes it.
Configured on the router are
Forward Port 22 from 211.75.128.214 to 192.168.122.152
Static route pointing 192.168.122.0/24 to 192.168.1.18
Static route pointing 2001:b030:112f:2::/64 to 2001:b030:112f::140e
From a host with IPs of 211.75.128.211 and 2001:470:67:cce::5 this works.
[egreshko@acer ~]$ ssh 2001:b030:112f:2::4
Last login: Thu Jun 25 22:15:30 2020 from 2001:470:66:cce::2
While this "hangs". (I think because ICMP may be blocked at some point. Too
late in my day to check)
[egreshko@acer ~]$ ssh 211.75.128.214
ssh: connect to host 211.75.128.214 port 22: Connection timed out