On Sun, Apr 25, 2021 at 05:24:09PM -0600, R C wrote:
Hello,
I have a machine I am running RHEL 8 on. there are two interfaces and I want to forward all traffic between those interfaces (for the src and dst in the subnet a wireless device is on).
One interface is connected to a switch, WAN side. The other ethernet port has an access point, connected wired.
I did turn on ipforwarding, and thought I needed only two firewall rules.
sysctl -w net.ipv4.ip_forward=1 firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -o eno1 -i enp0s20u4u1 -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -o enp0s20u4u1 -i eno1 -j ACCEPT
However, when I try to do a DNS lookup, it looks like it is being blocked/stopped by the firewall, because when I stop the firewall, it just seems to work. With the firewall up and running, however I can ping an ip address.
for example; if I do "ping www.google.com" I get a "ping www.google.com: Name or service not known" If I use an IP address (from www.google.com), it just works.
what am I missing (probably a rule in the firewall?) (Also, I probably should restrict traffic to 192.168.67.0/24, the network "on it" ?)
RHEL-8 uses the nftables backend by default. Your packets are getting through iptables due to your rules above, but they're being blocked by nftables (firewalld). The packets must pass through BOTH iptables and nftables to be accepted.
Solution: The quickest solve is to use the iptables backend by setting FirewallBackend=iptables is /etc/firewalld/firewalld.conf.
RHEL-8.5 will have policy objects which is a much better way to do inter-zone forwarding.