Hello,
I have a machine I am running RHEL 8 on. there are two interfaces and I want to forward all traffic between those interfaces (for the src and dst in the subnet a wireless device is on).
One interface is connected to a switch, WAN side. The other ethernet port has an access point, connected wired.
I did turn on ipforwarding, and thought I needed only two firewall rules.
sysctl -w net.ipv4.ip_forward=1 firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -o eno1 -i enp0s20u4u1 -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -o enp0s20u4u1 -i eno1 -j ACCEPT
However, when I try to do a DNS lookup, it looks like it is being blocked/stopped by the firewall, because when I stop the firewall, it just seems to work. With the firewall up and running, however I can ping an ip address.
for example; if I do "ping www.google.com" I get a "ping www.google.com: Name or service not known" If I use an IP address (from www.google.com), it just works.
what am I missing (probably a rule in the firewall?) (Also, I probably should restrict traffic to 192.168.67.0/24, the network "on it" ?)
thanks,
Ron
On Sun, Apr 25, 2021 at 05:24:09PM -0600, R C wrote:
Hello,
I have a machine I am running RHEL 8 on. there are two interfaces and I want to forward all traffic between those interfaces (for the src and dst in the subnet a wireless device is on).
One interface is connected to a switch, WAN side. The other ethernet port has an access point, connected wired.
I did turn on ipforwarding, and thought I needed only two firewall rules.
sysctl -w net.ipv4.ip_forward=1 firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -o eno1 -i enp0s20u4u1 -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -o enp0s20u4u1 -i eno1 -j ACCEPT
However, when I try to do a DNS lookup, it looks like it is being blocked/stopped by the firewall, because when I stop the firewall, it just seems to work. With the firewall up and running, however I can ping an ip address.
for example; if I do "ping www.google.com" I get a "ping www.google.com: Name or service not known" If I use an IP address (from www.google.com), it just works.
what am I missing (probably a rule in the firewall?) (Also, I probably should restrict traffic to 192.168.67.0/24, the network "on it" ?)
RHEL-8 uses the nftables backend by default. Your packets are getting through iptables due to your rules above, but they're being blocked by nftables (firewalld). The packets must pass through BOTH iptables and nftables to be accepted.
Solution: The quickest solve is to use the iptables backend by setting FirewallBackend=iptables is /etc/firewalld/firewalld.conf.
RHEL-8.5 will have policy objects which is a much better way to do inter-zone forwarding.
alright, cool, that works. thanks!!
Of course, over time, iptables will probably be replaced by nftables and disappear.
Is there a cheat sheet, or a guide with examples, for example, what would the firewall-cmd commands look like when I use the nftables backend?
thanks,
Ron
On 4/26/21 12:31 PM, Eric Garver wrote:
On Sun, Apr 25, 2021 at 05:24:09PM -0600, R C wrote:
Hello,
I have a machine I am running RHEL 8 on. there are two interfaces and I want to forward all traffic between those interfaces (for the src and dst in the subnet a wireless device is on).
One interface is connected to a switch, WAN side. The other ethernet port has an access point, connected wired.
I did turn on ipforwarding, and thought I needed only two firewall rules.
sysctl -w net.ipv4.ip_forward=1 firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -o eno1 -i enp0s20u4u1 -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -o enp0s20u4u1 -i eno1 -j ACCEPT
However, when I try to do a DNS lookup, it looks like it is being blocked/stopped by the firewall, because when I stop the firewall, it just seems to work. With the firewall up and running, however I can ping an ip address.
for example; if I do "ping www.google.com" I get a "ping www.google.com: Name or service not known" If I use an IP address (from www.google.com), it just works.
what am I missing (probably a rule in the firewall?) (Also, I probably should restrict traffic to 192.168.67.0/24, the network "on it" ?)
RHEL-8 uses the nftables backend by default. Your packets are getting through iptables due to your rules above, but they're being blocked by nftables (firewalld). The packets must pass through BOTH iptables and nftables to be accepted.
Solution: The quickest solve is to use the iptables backend by setting FirewallBackend=iptables is /etc/firewalld/firewalld.conf.
RHEL-8.5 will have policy objects which is a much better way to do inter-zone forwarding.
https://firewalld.org/2020/09/policy-objects-introduction
On Mon, Apr 26, 2021 at 12:40:45PM -0600, R C wrote:
alright, cool, that works. thanks!!
Of course, over time, iptables will probably be replaced by nftables and disappear.
Is there a cheat sheet, or a guide with examples, for example, what would the firewall-cmd commands look like when I use the nftables backend?
If you mean setting up a policy to do so.. then the post I linked below and this additionally would should help.
https://firewalld.org/2020/09/policy-objects-filtering-container-and-vm-traf...
thanks,
Ron
On 4/26/21 12:31 PM, Eric Garver wrote:
On Sun, Apr 25, 2021 at 05:24:09PM -0600, R C wrote:
Hello,
I have a machine I am running RHEL 8 on. there are two interfaces and I want to forward all traffic between those interfaces (for the src and dst in the subnet a wireless device is on).
One interface is connected to a switch, WAN side. The other ethernet port has an access point, connected wired.
I did turn on ipforwarding, and thought I needed only two firewall rules.
sysctl -w net.ipv4.ip_forward=1 firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -o eno1 -i enp0s20u4u1 -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -o enp0s20u4u1 -i eno1 -j ACCEPT
However, when I try to do a DNS lookup, it looks like it is being blocked/stopped by the firewall, because when I stop the firewall, it just seems to work. With the firewall up and running, however I can ping an ip address.
for example; if I do "ping www.google.com" I get a "ping www.google.com: Name or service not known" If I use an IP address (from www.google.com), it just works.
what am I missing (probably a rule in the firewall?) (Also, I probably should restrict traffic to 192.168.67.0/24, the network "on it" ?)
RHEL-8 uses the nftables backend by default. Your packets are getting through iptables due to your rules above, but they're being blocked by nftables (firewalld). The packets must pass through BOTH iptables and nftables to be accepted.
Solution: The quickest solve is to use the iptables backend by setting FirewallBackend=iptables is /etc/firewalld/firewalld.conf.
RHEL-8.5 will have policy objects which is a much better way to do inter-zone forwarding.
https://firewalld.org/2020/09/policy-objects-introduction
firewalld-users@lists.fedorahosted.org