On Mon, Feb 07, 2022 at 09:13:23PM -0300, Sergio Belkin wrote:
El lun, 7 feb 2022 a las 20:02, Sergio Belkin
(<sebelk(a)gmail.com>) escribió:
> Hi,
> I'm running on firewalld on Fedora 35 and I've installed lxd.
> The problem is that lxd containers can reach the host, but not the
> internet.
>
> This the firewalld configuration:
> FedoraServer
> target: default
> icmp-block-inversion: no
> interfaces:
> sources:
> services: cockpit dhcpv6-client ssh
> ports:
> protocols:
> forward: no
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
>
> FedoraWorkstation (active)
> target: default
> icmp-block-inversion: no
> interfaces: wlp108s0
> sources:
> services: dhcpv6-client mdns samba-client ssh
> ports: 1025-65535/udp 1025-65535/tcp
> protocols:
> forward: no
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
>
> block
> target: %%REJECT%%
> icmp-block-inversion: no
> interfaces:
> sources:
> services:
> ports:
> protocols:
> forward: yes
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
>
> dmz
> target: default
> icmp-block-inversion: no
> interfaces:
> sources:
> services: ssh
> ports:
> protocols:
> forward: yes
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
>
> docker (active)
> target: ACCEPT
> icmp-block-inversion: no
> interfaces: docker0
> sources:
> services:
> ports:
> protocols:
> forward: yes
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
>
> drop (active)
> target: DROP
> icmp-block-inversion: no
> interfaces:
> sources: ipset:crowdsec-blacklists
> services:
> ports:
> protocols:
> forward: yes
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
>
> external
> target: default
> icmp-block-inversion: no
> interfaces:
> sources:
> services: ssh
> ports:
> protocols:
> forward: yes
> masquerade: yes
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
>
> home
> target: default
> icmp-block-inversion: no
> interfaces:
> sources:
> services: dhcpv6-client mdns samba-client ssh
> ports:
> protocols:
> forward: yes
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
>
> internal
> target: default
> icmp-block-inversion: no
> interfaces:
> sources:
> services: dhcpv6-client mdns samba-client ssh
> ports:
> protocols:
> forward: yes
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
>
> libvirt
> target: ACCEPT
> icmp-block-inversion: no
> interfaces:
> sources:
> services: dhcp dhcpv6 dns ssh tftp
> ports:
> protocols: icmp ipv6-icmp
> forward: no
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
> rule priority="32767" reject
>
> nm-shared
> target: ACCEPT
> icmp-block-inversion: no
> interfaces:
> sources:
> services: dhcp dns ssh
> ports:
> protocols: icmp ipv6-icmp
> forward: no
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
> rule priority="32767" reject
>
> public
> target: default
> icmp-block-inversion: no
> interfaces:
> sources:
> services: dhcpv6-client mdns ssh
> ports:
> protocols:
> forward: yes
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
>
> trusted (active)
> target: ACCEPT
> icmp-block-inversion: no
> interfaces: lxdbr0
> sources:
> services:
> ports:
> protocols:
> forward: yes
> masquerade: yes
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
>
> work
> target: default
> icmp-block-inversion: no
> interfaces:
> sources:
> services: dhcpv6-client mdns ssh
> ports:
> protocols:
> forward: yes
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
>
> I've trying also what is documented at
>
https://linuxcontainers.org/lxd/docs/master/networks/#
>
> Just in case the routes on container are:
>
> default via 10.230.54.1 dev eth0 proto dhcp metric 100
> 10.230.54.0/24 dev eth0 proto kernel scope link src 10.230.54.220 metric
> 100
> Please could you help and tell me if I am doing something wrong?
> Thanks in advance!
> --
> --
> Sergio Belkin
> LPIC-2 Certified -
http://www.lpi.org
>
I've made a ugly and temporary work-around:
iptables -I FORWARD -i lxdbr0 -j ACCEPT
iptables -I FORWARD -o lxdbr0 -j ACCEPT
And it works, I don't understand why those rules are needed, AFAIK
'trusted' zone "All network connections are accepted."
Am I missing something?
LXD is probably adding it's own iptables rules. Those will execute
_before_ firewalld's rules. So if they drop, firewalld never sees the
packets.
Your iptables rules are injecting accept rules before the other rules.
Can you show `iptables-save`? It'll show us the rules added by LXD.