5:02 p.m.
Hi,
I'm running on firewalld on Fedora 35 and I've installed lxd.
The problem is that lxd containers can reach the host, but not the internet.
This the firewalld configuration:
FedoraServer
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
FedoraWorkstation (active)
target: default
icmp-block-inversion: no
interfaces: wlp108s0
sources:
services: dhcpv6-client mdns samba-client ssh
ports: 1025-65535/udp 1025-65535/tcp
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
docker (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: docker0
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
drop (active)
target: DROP
icmp-block-inversion: no
interfaces:
sources: ipset:crowdsec-blacklists
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
libvirt
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services: dhcp dhcpv6 dns ssh tftp
ports:
protocols: icmp ipv6-icmp
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule priority="32767" reject
nm-shared
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services: dhcp dns ssh
ports:
protocols: icmp ipv6-icmp
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule priority="32767" reject
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: lxdbr0
sources:
services:
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
I've trying also what is documented at
https://linuxcontainers.org/lxd/docs/master/networks/#
Just in case the routes on container are:
default via 10.230.54.1 dev eth0 proto dhcp metric 100
10.230.54.0/24 dev eth0 proto kernel scope link src 10.230.54.220 metric
100
Please could you help and tell me if I am doing something wrong?
Thanks in advance!
--
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org
6:13 p.m.
El lun, 7 feb 2022 a las 20:02, Sergio Belkin (<sebelk(a)gmail.com>) escribió:
Hi,
I'm running on firewalld on Fedora 35 and I've installed lxd.
The problem is that lxd containers can reach the host, but not the
internet.
This the firewalld configuration:
FedoraServer
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
FedoraWorkstation (active)
target: default
icmp-block-inversion: no
interfaces: wlp108s0
sources:
services: dhcpv6-client mdns samba-client ssh
ports: 1025-65535/udp 1025-65535/tcp
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
docker (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: docker0
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
drop (active)
target: DROP
icmp-block-inversion: no
interfaces:
sources: ipset:crowdsec-blacklists
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
libvirt
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services: dhcp dhcpv6 dns ssh tftp
ports:
protocols: icmp ipv6-icmp
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule priority="32767" reject
nm-shared
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services: dhcp dns ssh
ports:
protocols: icmp ipv6-icmp
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule priority="32767" reject
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: lxdbr0
sources:
services:
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
I've trying also what is documented at
https://linuxcontainers.org/lxd/docs/master/networks/#
Just in case the routes on container are:
default via 10.230.54.1 dev eth0 proto dhcp metric 100
10.230.54.0/24 dev eth0 proto kernel scope link src 10.230.54.220 metric
100
Please could you help and tell me if I am doing something wrong?
Thanks in advance!
--
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org
I've made a ugly and temporary work-around:
iptables -I FORWARD -i lxdbr0 -j ACCEPT
iptables -I FORWARD -o lxdbr0 -j ACCEPT
And it works, I don't understand why those rules are needed, AFAIK
'trusted' zone "All network connections are accepted."
Am I missing something?
Thanks in advance!
--
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org
7:51 a.m.
On Mon, Feb 07, 2022 at 09:13:23PM -0300, Sergio Belkin wrote:
El lun, 7 feb 2022 a las 20:02, Sergio Belkin
(<sebelk(a)gmail.com>) escribió:
> Hi,
> I'm running on firewalld on Fedora 35 and I've installed lxd.
> The problem is that lxd containers can reach the host, but not the
> internet.
>
> This the firewalld configuration:
> FedoraServer
> target: default
> icmp-block-inversion: no
> interfaces:
> sources:
> services: cockpit dhcpv6-client ssh
> ports:
> protocols:
> forward: no
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
>
> FedoraWorkstation (active)
> target: default
> icmp-block-inversion: no
> interfaces: wlp108s0
> sources:
> services: dhcpv6-client mdns samba-client ssh
> ports: 1025-65535/udp 1025-65535/tcp
> protocols:
> forward: no
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
>
> block
> target: %%REJECT%%
> icmp-block-inversion: no
> interfaces:
> sources:
> services:
> ports:
> protocols:
> forward: yes
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
>
> dmz
> target: default
> icmp-block-inversion: no
> interfaces:
> sources:
> services: ssh
> ports:
> protocols:
> forward: yes
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
>
> docker (active)
> target: ACCEPT
> icmp-block-inversion: no
> interfaces: docker0
> sources:
> services:
> ports:
> protocols:
> forward: yes
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
>
> drop (active)
> target: DROP
> icmp-block-inversion: no
> interfaces:
> sources: ipset:crowdsec-blacklists
> services:
> ports:
> protocols:
> forward: yes
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
>
> external
> target: default
> icmp-block-inversion: no
> interfaces:
> sources:
> services: ssh
> ports:
> protocols:
> forward: yes
> masquerade: yes
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
>
> home
> target: default
> icmp-block-inversion: no
> interfaces:
> sources:
> services: dhcpv6-client mdns samba-client ssh
> ports:
> protocols:
> forward: yes
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
>
> internal
> target: default
> icmp-block-inversion: no
> interfaces:
> sources:
> services: dhcpv6-client mdns samba-client ssh
> ports:
> protocols:
> forward: yes
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
>
> libvirt
> target: ACCEPT
> icmp-block-inversion: no
> interfaces:
> sources:
> services: dhcp dhcpv6 dns ssh tftp
> ports:
> protocols: icmp ipv6-icmp
> forward: no
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
> rule priority="32767" reject
>
> nm-shared
> target: ACCEPT
> icmp-block-inversion: no
> interfaces:
> sources:
> services: dhcp dns ssh
> ports:
> protocols: icmp ipv6-icmp
> forward: no
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
> rule priority="32767" reject
>
> public
> target: default
> icmp-block-inversion: no
> interfaces:
> sources:
> services: dhcpv6-client mdns ssh
> ports:
> protocols:
> forward: yes
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
>
> trusted (active)
> target: ACCEPT
> icmp-block-inversion: no
> interfaces: lxdbr0
> sources:
> services:
> ports:
> protocols:
> forward: yes
> masquerade: yes
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
>
> work
> target: default
> icmp-block-inversion: no
> interfaces:
> sources:
> services: dhcpv6-client mdns ssh
> ports:
> protocols:
> forward: yes
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
>
> I've trying also what is documented at
> https://linuxcontainers.org/lxd/docs/master/networks/#
>
> Just in case the routes on container are:
>
> default via 10.230.54.1 dev eth0 proto dhcp metric 100
> 10.230.54.0/24 dev eth0 proto kernel scope link src 10.230.54.220 metric
> 100
> Please could you help and tell me if I am doing something wrong?
> Thanks in advance!
> --
> --
> Sergio Belkin
> LPIC-2 Certified - http://www.lpi.org
>
I've made a ugly and temporary work-around:
iptables -I FORWARD -i lxdbr0 -j ACCEPT
iptables -I FORWARD -o lxdbr0 -j ACCEPT
And it works, I don't understand why those rules are needed, AFAIK
'trusted' zone "All network connections are accepted."
Am I missing something?
LXD is probably adding it's own iptables rules. Those will execute
_before_ firewalld's rules. So if they drop, firewalld never sees the
packets.
Your iptables rules are injecting accept rules before the other rules.
Can you show `iptables-save`? It'll show us the rules added by LXD.
802
days inactive
803
days old
firewalld-users@lists.fedorahosted.org
2 comments
2 participants
participants (2)
-
Eric Garver -
Sergio Belkin