Hi Team,
till last month we were using IPtables in our centos7 VM to do port forwarding from 53 to 8600 ,we observed in some VM's iptables rules were just vanishing not sure about exact reason behind , and were ended updating iptable rules again , we suspected firewalld might be erasing the rules provided in iptables , so we added port forwarding rules in firewalld like below. after adding firewall rules we were not able to access google cloud apis , like GCS Storage to store snapshots. when we disable the firewalld service we are able to access the same.
can you please help us in below questions we have : a. can we disable firewalld and use only iptables to do port forwarding , would there be any issues b. if we use firewalld instead of iptables , any rule to be applied to access GCS bucket or google cloud api's.
Firewalld rules : firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -p tcp --dport 53 -j REDIRECT --to-ports 8600 firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -p udp --dport 53 -j REDIRECT --to-ports 8600 firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 0 -p tcp --dport 53 -j REDIRECT --to-ports 8600 firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 0 -p udp --dport 53 -j REDIRECT --to-ports 8600
Thanks, Srinidhi
On Mon, Feb 24, 2020 at 10:12:28AM -0000, srinidhi krishnamurthy wrote:
Hi Team,
till last month we were using IPtables in our centos7 VM to do port forwarding from 53 to 8600 ,we observed in some VM's iptables rules were just vanishing not sure about exact reason behind , and were ended updating iptable rules again , we suspected firewalld might be erasing the rules provided in iptables
When firewalld starts or reloads it will issue a flush to all iptables tables. So it's quite possible this is what you were experiencing.
so we added port forwarding rules in firewalld like below. after adding firewall rules we were not able to access google cloud apis , like GCS Storage to store snapshots. when we disable the firewalld service we are able to access the same.
Are you sure it was only traffic to GCS? I would guess all traffic was affected.
can you please help us in below questions we have : a. can we disable firewalld and use only iptables to do port forwarding , would there be any issues
Sure, if that's what you want. Alternatively add the rules via firewalld (like you show below), or add manually add them to iptables _after_ firewalld starts.
b. if we use firewalld instead of iptables , any rule to be applied to access GCS bucket or google cloud api's.
Firewalld rules : firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -p tcp --dport 53 -j REDIRECT --to-ports 8600 firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -p udp --dport 53 -j REDIRECT --to-ports 8600
firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 0 -p tcp --dport 53 -j REDIRECT --to-ports 8600 firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 0 -p udp --dport 53 -j REDIRECT --to-ports 8600
These OUTPUT rules are hijacking DNS requests and redirecting them to port 8600 on the localhost (i.e. the VM). If the VM doesn't have a DNS server listening on 8600 then that definitely explains your traffic issues. GCS won't resolve.
firewalld-users@lists.fedorahosted.org