0

I have the following setup:

-CentOS box, with KVM installed (libvirt), as gateway/VM host. Interface eno2 as uplink.

-Public routed network configured on interface virbr1 (virbr1 mode routed, forward to all physical ports), and physical interface eno4 bridge-enslaved to virbr1, to use for local network, local server and VM guests.

-On interface eno4 I have a Catalyst switch, in which the local network and local server are connected.

xx.xx.xxx.128/27 - network

xx.xx.xxx.129 - assigned to virbr1, gateway for the whole network

xx.xx.xxx.130 - localserver

xx.xx.xxx.157 - guest VM

xx.xx.xxx.158 - Catalyst

My problem is that I need the local network to access the local server, but no one else should. I tried adding direct rules in firewalld, like this:

[root@master ~]# firewall-cmd --direct --get-all-rules

ipv4 filter INPUT 0 -s xx.xx.xxx.128/27 -d xx.xx.xxx.130/32 -j ACCEPT

ipv4 filter INPUT 1 -d xx.xx.xxx.130/32 -j DROP

ipv4 filter FORWARD 0 -s xx.xx.xxx.128/27 -d xx.xx.xxx.130/32 -j ACCEPT

ipv4 filter FORWARD 1 -d xx.xx.xxx.130/32 -j DROP

A ping from my home workstation to xx.xx.xxx.130 still works with the above rules. I even tried adding the same rules via iptables, but still no joy.

The same rules worked just fine in the previous setup( iptables ), Debian box with two interfaces, one connected to the internet, one to the Catalyst.

What am I missing? Is this a wrong way to achieve my goal? I am fairly new to firewalld, I've used iptables up until now.

Stuggi
  • 3,366
  • 4
  • 17
  • 34
Andrei
  • 1
  • 1
  • To clarify: the firewall is on the Centos host. The localserver is a cheap NAS which doesn't have firewall, so I cannot do anything on it. – Andrei Mar 29 '20 at 21:17
  • firewalld is totally different to iptables, a set of xml files group certain rules in to "services" and "zones". So a service might be something like smtp or httpd and a zone is something like "public" i.e a set of services or rules aimed at your public facing interfaces, this answer gives a clue on how to edit the public zone which is what you want to do https://serverfault.com/questions/684602/how-to-open-port-for-a-specific-ip-address-with-firewall-cmd-on-centos – Imag1ne Mar 29 '20 at 21:23
  • I find it is easier just to edit the XML file rather than using the command line for this. – Imag1ne Mar 29 '20 at 21:25
  • I went to that post before asking the question, and I don't think it helps me. The example shows how to allow a single ip to connect to a specific port on the server which has the firewalld service. I wan to block external traffic and allow just from a specific network access to a host on the same LAN. The firewall should block forwarded traffic, not incoming traffic on the gateway box. I don't know how to explain it better – Andrei Mar 29 '20 at 21:40
  • Let me try again: the firewall should block external traffic which comes from eno2, and is directed to eno4 via virbr1 to xx.xx.xxx.130, but allow traffic on the same network (localclients->catalyst->localserver or guest-VM->virbr1->eno4->catalyst->localserver,etc). In other words, I need help translating the iptables rules, (which are very clear) into firewalld rules. – Andrei Mar 29 '20 at 21:50
  • ok I see, that is a bit beyond my knowledge, maybe this answer helps? https://serverfault.com/questions/618164/block-outgoing-connections-on-rhel7-centos7-with-firewalld – Imag1ne Mar 29 '20 at 21:58

0 Answers0