On Fri, Dec 31, 2021 at 02:49:09AM -0000, Sean Zimmermann wrote:
Hi everyone,
I'm trying to setup a firewall so one of my VMs is barred from accessing the LAN (if
saddr = VM Address and daddr = 192.168.0.0/16, deny input and forward). I was able to do
this in nftables here:
table inet ext_only {
chain input {
type filter hook input priority filter - 10; policy accept;
ct state new ip saddr 192.168.100.100 drop
}
chain forward {
type filter hook forward priority filter - 10; policy accept;
ct state new ip saddr 192.168.100.100 ip daddr 192.168.0.0/16 drop
}
}
However, I've been having trouble trying to figure out the correct way to do this for
firewalld. I know I can move the VM IP to its own zone, and I can then block input, but I
couldn't figure out how to write a forward deny rule.
What is the recommended way to handle dropping forwarded packets?
Policy objects are available in v0.9.0 and later. They allow forward and
output filtering.
-
https://firewalld.org/2020/09/policy-objects-introduction
-
https://firewalld.org/2020/09/policy-objects-filtering-container-and-vm-t...
You probably want something like this (untested):
# firewalld-cmd --permanent --add-policy noForwardToLan
# firewalld-cmd --permanent --policy noForwardToLan --add-ingress-zone
<zone_of_vm>
# firewalld-cmd --permanent --policy noForwardToLan --add-egress-zone
<zone_of_lan>
# firewalld-cmd --permanent --policy noForwardToLan --set-target REJECT
This will reject all traffic originating from <zone_of_vm> and destined
to <zone_of_lan>. It would allow the VM to connect to the internet if
your uplink is in yet another zone, e.g. public or external.
Hope that helps.
Eric.