6:13 p.m.
El lun, 7 feb 2022 a las 20:02, Sergio Belkin (<sebelk(a)gmail.com>) escribió:
Hi,
I'm running on firewalld on Fedora 35 and I've installed lxd.
The problem is that lxd containers can reach the host, but not the
internet.
This the firewalld configuration:
FedoraServer
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
FedoraWorkstation (active)
target: default
icmp-block-inversion: no
interfaces: wlp108s0
sources:
services: dhcpv6-client mdns samba-client ssh
ports: 1025-65535/udp 1025-65535/tcp
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
docker (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: docker0
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
drop (active)
target: DROP
icmp-block-inversion: no
interfaces:
sources: ipset:crowdsec-blacklists
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
libvirt
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services: dhcp dhcpv6 dns ssh tftp
ports:
protocols: icmp ipv6-icmp
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule priority="32767" reject
nm-shared
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services: dhcp dns ssh
ports:
protocols: icmp ipv6-icmp
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule priority="32767" reject
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: lxdbr0
sources:
services:
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
I've trying also what is documented at
https://linuxcontainers.org/lxd/docs/master/networks/#
Just in case the routes on container are:
default via 10.230.54.1 dev eth0 proto dhcp metric 100
10.230.54.0/24 dev eth0 proto kernel scope link src 10.230.54.220 metric
100
Please could you help and tell me if I am doing something wrong?
Thanks in advance!
--
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org
I've made a ugly and temporary work-around:
iptables -I FORWARD -i lxdbr0 -j ACCEPT
iptables -I FORWARD -o lxdbr0 -j ACCEPT
And it works, I don't understand why those rules are needed, AFAIK
'trusted' zone "All network connections are accepted."
Am I missing something?
Thanks in advance!
--
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org