Wireguard/NAT issue with FirewallBackend=nftables
by Patrick Laimböck
Hi,
I have setup a wireguard connection between my laptop (Fedora 39) and an
Almalinux 9 x86_64 server which also runs a knot DNS resolver on port 53
(IPv4 & IPv6) to be used by the laptop when the wireguard connection is
active. This all works fine but it requires:
/etc/firewalld/firewalld.conf
FirewallBackend=iptables
and these firewall-cmd rules in the server's wireguard wg0 config:
(this is one long line but separated for clarity)
PostUp =
firewall-cmd --zone=public --add-port=443/udp;
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s
192.168.2.0/24 -o eth0 -j MASQUERADE;
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -i %i -j ACCEPT;
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i %i -o eth0 -j
ACCEPT;
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eth0 -o %i -j
ACCEPT;
firewall-cmd --direct --add-rule ipv6 nat POSTROUTING 0 -s
fdcc:xxxx:xxxx::/64 -o eth0 -j MASQUERADE;
firewall-cmd --direct --add-rule ipv6 filter INPUT 0 -i %i -j ACCEPT;
firewall-cmd --direct --add-rule ipv6 filter FORWARD 0 -i %i -o eth0 -j
ACCEPT;
firewall-cmd --direct --add-rule ipv6 filter FORWARD 0 -i eth0 -o %i -j
ACCEPT;
When, on the server, I switch to
FirewallBackend=nftables
and restart firewalld and do wg-quick up wg0 then I can no longer access
the DNS resolver on the wireguard server's public IPv4 & IPv6 address
from the client. If I change the DNS in the client's wireguard config to
9.9.9.9 & 2620:fe::fe then resolving on the client works fine. So
somehow the iptables and nftables backend handle this differently (or
the firewall-cmd rules are wrong?).
Anyone know how to make this work with the nftables backend?
Please let me know if you need any other information. Thanks!
Best,
Patrick
2 months, 3 weeks
Wireguard/NAT issue with FirewallBackend=nftables
by Patrick Laimböck
Hi,
I have setup a wireguard connection between my laptop (Fedora 39) and an
Almalinux 9 x86_64 server which also runs a knot DNS resolver on port 53
(IPv4 & IPv6) to be used by the laptop when the wireguard connection is
active. This all works fine but it requires:
/etc/firewalld/firewalld.conf
FirewallBackend=iptables
and these firewall-cmd rules in the server's wireguard wg0 config:
(this is one long line but separated for clarity)
PostUp =
firewall-cmd --zone=public --add-port=443/udp;
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s
192.168.2.0/24 -o eth0 -j MASQUERADE;
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -i %i -j ACCEPT;
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i %i -o eth0 -j
ACCEPT;
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eth0 -o %i -j
ACCEPT;
firewall-cmd --direct --add-rule ipv6 nat POSTROUTING 0 -s
fdcc:xxxx:xxxx::/64 -o eth0 -j MASQUERADE;
firewall-cmd --direct --add-rule ipv6 filter INPUT 0 -i %i -j ACCEPT;
firewall-cmd --direct --add-rule ipv6 filter FORWARD 0 -i %i -o eth0 -j
ACCEPT;
firewall-cmd --direct --add-rule ipv6 filter FORWARD 0 -i eth0 -o %i -j
ACCEPT;
When, on the server, I switch to
FirewallBackend=nftables
and restart firewalld and do wg-quick up wg0 then I can no longer access
the DNS resolver on the wireguard server's public IPv4 & IPv6 address
from the client. If I change the DNS in the client's wireguard config to
9.9.9.9 & 2620:fe::fe then resolving on the client works fine. So
somehow the iptables and nftables backend handle this differently (or
the firewall-cmd rules are wrong?).
Anyone know how to make this work with the nftables backend?
Please let me know if you need any other information. Thanks!
Best,
Patrick
2 months, 3 weeks
allow icmp for specific host with policy rich-rule
by Django [Bastard Operator from Hell]
Hiho "erig0" ... ;)
... me again :/
I can reach hosts on the internet via ICMP from a host that is behind
this host, regardless of whether it is via IPv4 or IPv6. Thanks to the
excellent support from Eric Garver, everything is running smoothly! :)
Now I would like to create a rich rule for "ICMP v6" for selected hosts,
so that I can ping these selected hosts from the outside.
Like for example:
# firewall-cmd --permanent --policy edmz_2_idmz \
--add-rich-rule='rule family="ipv6" \
destination address="2003:a:bbb:cc03:10::110" \
icmp-type name=echo-request accept'
Is that okay or am I taking the cake? :) Or should I better add a limit
with the help of e.g. "... accept limit value=10/s"?
ttyl
Django
2 months, 4 weeks
firewalld and forwarding incoming external traffic to an internal
host
by Django [Bastard Operator from Hell]
HI!
My environment:
### Internet ###
|
|
V
+-----------+
| |
| FWA |
| |
+-----------+
|
--EDMZ--+------------------ [laptop]
|
V
+-----------+
| | 2003:a:b:c0:1920:168:0:210
| FWB | fe80::1921:68ff:fe00:210/64
| | fd00::192:168:0:210/64
+-----------+
|
--IDMZ--+------------------ [web, mail ...]
|
V
+-----------+
| | 2003:a:b:c1:10::110/64
| FWC | fe80::1:10:ff:fe00:110/64
| | fd00::1:10:0:0:110/64
+-----------+
|
|
V
### Intranet ###
Outgoing traffic from intranet, IDMZ, web or mail to internet, works
fine either with IPv4 or IPv6 addresses.
With the help of firewalld rules, I can reach the SSH daemon on the host
FWB.
ON my host "FWB" I put those two rich-rules:
# firewall-cmd --zone=edmz --list-all | grep 41022
rule family="ipv4" forward-port port="41022" protocol="tcp" to-port="22"
to-addr="192.168.0.210"
rule family="ipv6" forward-port port="41022" protocol="tcp" to-port="22"
to-addr="fd00::192:168:0:210"
I can reach the host FWB from the Internet without any problems with the
help of:
# ssh -p 41022 2003:a:b:c0:1920:168:0:210
If I now define the following rich rule on my host FWB, I can also reach
the host FWC.
# firewall-cmd --zone=edmz --list-all | grep 41122
rule family="ipv4" forward-port port="41122" protocol="tcp" to-port="22"
to-addr="10.0.0.110"
rule family="ipv6" forward-port port="41122" protocol="tcp" to-port="22"
to-addr="2003:a:b:c1:10::110"
I can reach SSH daemon on FWC from the internet with:
# ssh -p 41122 2003:a:b:c0:1920:168:0:210
For testing purposes, I then installed FWC postfix on the host, which
responds to both IPv4 and IPv6 on port 25. I can therefore reach the
SMTP daemon listening on port 25 on the host from the host FWB.
root@vml000210:~# telnet 10.0.0.110 25
root@vml000210:~# telnet 2003:a:b:c1:10::110 25
So far so good.
On my host FWB I put these two "forward-ports" rules:
# firewall-cmd --zone=edmz --list-all | grep port=25
port=25:proto=tcp:toport=:toaddr=10.0.0.110
port=25:proto=tcp:toport=:toaddr=2003:a:b:c1:10::110
From the Internet, I can now access port 25 at address
2003:a:b:c0:1920:168:0:210 and, thanks to the port-forward rule, end up
at the SMTP daemon on the host FWC.
Basically, I'm fine with firewalld and its command syntax, and the
routing for IPv4 and IPv6 on the two hosts FWB and FWC should work so
far, in my opinion.
But what I actually have in mind is the following scenario:
Traffic from the Internet on port 22, i.e. the SSH daemon, is only
permitted on the host FWB (2003:a:b:c0:1920:168:0:210) with the address.
The SSH daemon on the host FWC (2003:a:b:c1:10::110) is not directly
accessible from the Internet.
Both tasks have now been solved satisfactorily.
!!!***BUT***!!!:
Traffic from the Internet (::/64) may directly reach the SMTP daemon on
the host FWC (2003:a:b:c1:10::110), but ONLY if the destination port is
25. To do this, the traffic must of course be allowed through on the
host FWB (2003:a:b:c0:1920:168:0:210), but only if the destination port
is 25 and the destination address is 2003:a:b:c1:10::110! Other traffic
from the Internet which has 2003:a:b:c1:10::110 as the destination
address - regardless of which destination port is selected - must be
blocked by the firewalld on the host FWB (2003:a:b:c0:1920:168:0:210)!
So I need a firewall rule on the host FWB according to the following scheme:
On FBW (2003:a:b:c0:1920:168:0:210) accept SMTP traffic on port 25 from
all senders on the Internet, but only for the destination address
2003:a:b:c1:10::110 and route this traffic on to the host FWC which
holds the address 2003:a:b:c1:10::110.
Something like that:
# firewall-cmd --zone=edmz \
--add-rich-rule='rule family="ipv6" \
source address="::/0" \
destination address="2003:a:b:c1:10::110" \
service name="smtp" accept'
Well, unfortunately it doesn't work like that or something is still
missing or I've taken a completely wrong turn, who knows? :/
Actually, it shouldn't be accept but forward in my naive attempt, but
that immediately blows up in my face with the following error message:
# firewall-cmd --zone=edmz \
--add-rich-rule='rule family="ipv6" \
source address="::/0" \
destination address="2003:a:b:c1:10::110" \
service name="smtp" forward'
Error: INVALID_RULE: unknown element forward
I currently have absolutely no idea what else I could try to solve my
problem!
Maybe someone has enough expertise and patience to explain and show me
;) I am grateful for any advice and would like to take this opportunity
to say thank you very much!
Best regards
Django
3 months