5:03 a.m.
I’m working on a configuration to make multiple VMs accessible via public IPv4 and IPv6
addresses. The Internet provider routes all addresses (IPv4 and IPv6 subnets) to the MAC
address of the physical adapter. So I have to route to the VMs on the server (Fedora
Server 32). The more common bridge solution for direct VM access doesn’t work. I have
configured the physical interface (enp3s0) accordingly and attached a virtual bridge
(vbr3s0) to which the VMs connect. In addition, there is a libvirt bridge for private
communication between VM's.
Everything works great as long as firewalld is *stopped*.
The goal is to configure the host firewall so that everything is forwarded by default and
the VM's firewall controls the specific access. At the same time, it should be
possible to restrict access for individual IPs to certain ports (these IPs provide public
access for containers instead of VMs).
Unfortunately, I'm not that familiar with firewalld. I found the following solution
options
(a)
Place the bridge (vbr3s0) in a zone providing target=ACCEPT, e.g. trusted or nm-shared.
In this way, routing works for IPv6, but not for IPv4.
(b)
Defining "direct rules" for forwarding. Various posts all boiled down to:
[...]# firewall-cmd --direct --get-all-rules
ipv4 filter FORWARD 0 -i enp3s0 -o vbr3s0 -j ACCEPT
ipv4 filter FORWARD 0 -i vbr3s0 -o enp3s0 -j ACCEPT
Unfortunately, IPv4 still does not work with these rules either. Obviously, I have missed
something.
Unfortunately I am not getting any further and would be very appreciative of any help.
Thanks
Peter
My IP configuration
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group
default qlen 1000
link/ether 30:85:a9:ee:23:d4 brd ff:ff:ff:ff:ff:ff
inet 144.76.7.86/32 scope global noprefixroute enp3s0
valid_lft forever preferred_lft forever
inet6 2a01:4f8:190:8255::2/128 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::3285:a9ff:feee:23d4/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: vbr3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group
default qlen 1000
link/ether 8e:5d:9f:58:45:4b brd ff:ff:ff:ff:ff:ff
inet 144.76.7.86/32 scope global noprefixroute vbr3s0
valid_lft forever preferred_lft forever
inet6 2a01:4f8:190:8255::2/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::8c5d:9fff:fe58:454b/64 scope link noprefixroute
valid_lft forever preferred_lft forever
4: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group
default qlen 1000
link/ether 52:54:00:c9:33:cc brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state
DOWN group default qlen 1000
link/ether 52:54:00:c9:33:cc brd ff:ff:ff:ff:ff:ff
6: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master vbr3s0
state UNKNOWN group default qlen 1000
link/ether fe:54:00:80:ea:aa brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:fe80:eaaa/64 scope link
valid_lft forever preferred_lft forever
7: vnet1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master virbr0
state UNKNOWN group default qlen 1000
link/ether fe:54:00:7f:46:50 brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:fe7f:4650/64 scope link
valid_lft forever preferred_lft forever
My zones so far:
[...]# firewall-cmd --get-active-zones
FedoraServer
interfaces: enp3s0
libvirt
interfaces: virbr0
trusted
interfaces: vbr3s0