On Sun, Nov 22, 2020 at 03:16:44PM +0300, Alexander Tumin wrote:
Hi, I'm trying to add a rule on NAT'ed traffic to reject
certain local IPs
from being masqueraded, but I can't see how it can be done with nftables
backend.
Even when using the nftables backend you can still reject from iptables
using --direct rules.
The problem:
(1) --add-rule seems to always operate on iptables-restore, regardless of
what backend is being used.
Correct. Direct rules use iptables regardless of the FirewallBackend in
use. The syntax for direct rules is iptables syntax.
(2) --add-rich-rule doesn't seem to provide a way to add rule on
forwarded
traffic.
Correct. But firewalld v0.9.0+ has native support for FORWARD and OUTPUT
filtering via policies.
Here are some blog posts that introduce the subject:
https://firewalld.org/2020/09/policy-objects-introduction
https://firewalld.org/2020/09/policy-objects-filtering-container-and-vm-t...
(3) there is seem to be no option like --add-rule, but for nftables
specifically.
By design. direct rules are a hack. They are simply a bypass to do
things that firewalld doesn't natively support. Now that firewalld has
policy objects direct rules are not very useful. They will be deprecated
in the upcoming major release.
Currently I had to switch to iptables backend to do:
firewall-cmd --permanent --new-ipset=nonetvm --type=hash:ip
firewall-cmd --permanent --ipset=nonetvm --add-entry=192.168.1.52
firewall-cmd --permanent --ipset=nonetvm --add-entry=192.168.1.53
firewall-cmd --permanent --ipset=nonetvm --add-entry=192.168.1.54
firewall-cmd --permanent --ipset=nonetvm --add-entry=192.168.1.55
# enp0s31f6 is the WAN interface in external zone
firewall-cmd --permanent --direct --add-rule \
ipv4 filter FORWARD 0 -m set --match-set nonetvm src \
-o enp0s31f6 -j REJECT
firewall-cmd --reload
This should still work with FirewallBackend=nftables.