Hi everyone,
I'm trying to setup a firewall so one of my VMs is barred from accessing the LAN (if saddr = VM Address and daddr = 192.168.0.0/16, deny input and forward). I was able to do this in nftables here:
table inet ext_only { chain input { type filter hook input priority filter - 10; policy accept; ct state new ip saddr 192.168.100.100 drop }
chain forward { type filter hook forward priority filter - 10; policy accept; ct state new ip saddr 192.168.100.100 ip daddr 192.168.0.0/16 drop } }
However, I've been having trouble trying to figure out the correct way to do this for firewalld. I know I can move the VM IP to its own zone, and I can then block input, but I couldn't figure out how to write a forward deny rule.
What is the recommended way to handle dropping forwarded packets?
Thank you for any help with this.
Regards, Sean
What is the recommended way to handle dropping forwarded packets?
Firewalld is using policies to control forwarding between zones. See man firewalld.policy as well as https://firewalld.org/2020/09/policy-objects-introduction for introduction and https://firewalld.org/2020/09/policy-objects-filtering-container-and-vm-traf... for applying policies to filter VM traffic (it is just one example, not exhaustive description).
On Fri, Dec 31, 2021 at 02:49:09AM -0000, Sean Zimmermann wrote:
Hi everyone,
I'm trying to setup a firewall so one of my VMs is barred from accessing the LAN (if saddr = VM Address and daddr = 192.168.0.0/16, deny input and forward). I was able to do this in nftables here:
table inet ext_only { chain input { type filter hook input priority filter - 10; policy accept; ct state new ip saddr 192.168.100.100 drop }
chain forward { type filter hook forward priority filter - 10; policy accept; ct state new ip saddr 192.168.100.100 ip daddr 192.168.0.0/16 drop }
}
However, I've been having trouble trying to figure out the correct way to do this for firewalld. I know I can move the VM IP to its own zone, and I can then block input, but I couldn't figure out how to write a forward deny rule.
What is the recommended way to handle dropping forwarded packets?
Policy objects are available in v0.9.0 and later. They allow forward and output filtering.
- https://firewalld.org/2020/09/policy-objects-introduction - https://firewalld.org/2020/09/policy-objects-filtering-container-and-vm-traf...
You probably want something like this (untested):
# firewalld-cmd --permanent --add-policy noForwardToLan # firewalld-cmd --permanent --policy noForwardToLan --add-ingress-zone <zone_of_vm> # firewalld-cmd --permanent --policy noForwardToLan --add-egress-zone <zone_of_lan> # firewalld-cmd --permanent --policy noForwardToLan --set-target REJECT
This will reject all traffic originating from <zone_of_vm> and destined to <zone_of_lan>. It would allow the VM to connect to the internet if your uplink is in yet another zone, e.g. public or external.
Hope that helps. Eric.
Hi Eric and Andrei,
Thank you for the info and the examples. Just one quick follow up question - can I define a zone based on outbound IP addresses?
In my case, the computer hosting the VMs is connected to the LAN but doesn't have a direct connection to the wider internet (it's behind a router). I was enforcing the 'no LAN traffic' in nftables blocking any forwarded traffic from the VM to 192.168.0.0/16.
So, if I wanted to define an egress zone using policies, I assume I'd need to make a zone out of the LAN IP range, correct? I know I can make inbound zones based on IP range sources, but can I make one for outbound traffic too (saying that traffic bound for 192.168.0.0/16 is the 'lan' zone and traffic bound for elsewhere is not?)
On Tue, Jan 4, 2022 at 1:32 AM Sean Zimmermann sz2243@gmail.com wrote:
Hi Eric and Andrei,
Thank you for the info and the examples. Just one quick follow up question - can I define a zone based on outbound IP addresses?
No. Zone is for filtering incoming traffic.
In my case, the computer hosting the VMs is connected to the LAN but doesn't have a direct connection to the wider internet (it's behind a router). I was enforcing the 'no LAN traffic' in nftables blocking any forwarded traffic from the VM to 192.168.0.0/16.
So, if I wanted to define an egress zone using policies, I assume I'd need to make a zone out of the LAN IP range, correct? I know I can make inbound zones based on IP range sources, but can I make one for outbound traffic too (saying that traffic bound for 192.168.0.0/16 is the 'lan' zone and traffic bound for elsewhere is not?)
Policies support rich rules, so you can define policy with the most common default target (e.g. ACCEPT or REJECT) and use rich rules to restrict/allow traffic to specific destination(s).
firewalld-users@lists.fedorahosted.org