Masquerade / firewalld target : impacts on filtering?

Question

I opened a question here, but as I found some new elements, I prefer to open a new one.

Here is my situation, that can be reproduced:

Fresh Centos7 OS. Configuration of two interfaces eth1 and eth2 with ip adresses X and Y

-----------------> @X CENTOS @Y -----------------> @Z  -------
    dst_IP = A                      dst_IP = A
    src_IP = B                      dst_IP = B

edit /etc/firewalld/zones/TEST.xml, add the two interfaces, activate masquerade. The firewalld target is set to "default" by default.

add a route as following :

Destination     Gateway     GenMask
A               Z           255.255.255.255

Then activate ip forward an deactivate rp_filter :

sysctl net.ipv4.ip_forward=1
sysctl net.ipv4.conf.eth1.rp_filter=2
sysctl net.ipv4.conf.eth2.rp_filter=2

In this situation, if I route a packet (@dest=A) to CentOS, the paquet is routed to Z. -> Why firewalld does not block it? as there is no rule to accept it

If I disable masquerade , the paquet is not routed anymore. -> Why ?

With masquerade activated, if I change the target from default to DROP, the paquet is not routed anymore -> So the "default" target is not strictly identiqual to "DROP" target. What are exactly the differences? I couldn't find any information about this

score 0 · Answer 1 · answered Oct 05 '21 at 15:25

First of all, you are activating rp_filter, and not deactivating it (to deactivate, you would have to set it to zero).

Info about Reverse Path filtering.

One question is answered easily: without masquerade, the destination router sees a source IP of B, but doesn't have a correct route to send the reply to. Because of this and the reverse path filtering, the packet gets dropped.

Second, you have to differentiate between a firewall and a forwarding firewall. One is intented for packets which have one of the interface IPs as dst / src ip (meaning coming from / going to the device!) and the other is intended for packets which are just passing through the device.

So what is happening ? Your CentOS sees a packet with Source IP B, Destination IP A, and is trying to forward it. To do this, it looks at its routing table - There is a route active, that all packets meant for Destination A should go through the router Z.

Now the masquerading comes into effect - the Source IP B is replaced by Y, and the packet is forwarded to Z - still with destination IP A !

I can only guess what the firewall does - you'd have to post your complete firewall ruleset for a complete picture - but my guess is, that you are confusing "routing through Z" with "Destination Z". The latter would probably get dropped, the first wouldn't.

Please post your complete firewall ruleset for a final answer!

I will post more details in an answer. The difference between firewall and forwarding firewall is probably what I'm missing, but I can't find any documentation about this for Linux firewalld — Carbon69, Oct 06 '21 at 08:39
there are lots of front-ends for linux firewalls, firewalld is just one of them. Most of them are using ```iptables``` under the hood. iptables is provided by the linux kernel (because that is the place where packets are mangled / filtered) and has been around for quite some time, and is well documented. I would recommend reading on that topic. — Martin, Oct 06 '21 at 09:07

score 0 · Answer 2 · answered Oct 06 '21 at 09:28

More precisions:

For this issue, I only consider the fact that, listening on Centos interface @Y, the paquets is routed, or dropped. I don't take into account the reply by Z, that does not actually work if I activate/deactivate masquerade on CentOS without adjusting Z configuration.

In this context, what explains that masquerade activation have an impact on the routed packets being dropped or not by firewalld before getting out on interface @Y ? As for the "default" target in firewalld?

My firewalld ruleset in completely empty, I made this setup from a new CentOS for working on this issue. No iptables or firewalld rules were added.

Here is the result of iptables -L -n and iptables -L -t nat -n :

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
INPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0
INPUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0
INPUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
FORWARD_direct  all  --  0.0.0.0/0            0.0.0.0/0
FORWARD_IN_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0
FORWARD_IN_ZONES  all  --  0.0.0.0/0            0.0.0.0/0
FORWARD_OUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0
FORWARD_OUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
OUTPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD_IN_ZONES (1 references)
target     prot opt source               destination
FWDI_TEST  all  --  0.0.0.0/0            0.0.0.0/0           [goto]
FWDI_TEST  all  --  0.0.0.0/0            0.0.0.0/0           [goto]

Chain FORWARD_IN_ZONES_SOURCE (1 references)
target     prot opt source               destination

Chain FORWARD_OUT_ZONES (1 references)
target     prot opt source               destination
FWDO_TEST  all  --  0.0.0.0/0            0.0.0.0/0           [goto]
FWDO_TEST  all  --  0.0.0.0/0            0.0.0.0/0           [goto]

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target     prot opt source               destination

Chain FORWARD_direct (1 references)
target     prot opt source               destination


Chain FWDI_TEST (2 references)
target     prot opt source               destination
FWDI_TEST_log  all  --  0.0.0.0/0            0.0.0.0/0
FWDI_TEST_deny  all  --  0.0.0.0/0            0.0.0.0/0
FWDI_TEST_allow  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0

Chain FWDI_TEST_allow (1 references)
target     prot opt source               destination

Chain FWDI_TEST_deny (1 references)
target     prot opt source               destination

Chain FWDI_TEST_log (1 references)
target     prot opt source               destination

Chain FWDO_TEST (2 references)
target     prot opt source               destination
FWDO_TEST_log  all  --  0.0.0.0/0            0.0.0.0/0
FWDO_TEST_deny  all  --  0.0.0.0/0            0.0.0.0/0
FWDO_TEST_allow  all  --  0.0.0.0/0            0.0.0.0/0

Chain FWDO_TEST_allow (1 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW

Chain FWDO_TEST_deny (1 references)
target     prot opt source               destination

Chain FWDO_TEST_log (1 references)
target     prot opt source               destination

Chain INPUT_ZONES (1 references)
target     prot opt source               destination
IN_TEST    all  --  0.0.0.0/0            0.0.0.0/0           [goto]
IN_TEST    all  --  0.0.0.0/0            0.0.0.0/0           [goto]

Chain INPUT_ZONES_SOURCE (1 references)
target     prot opt source               destination

Chain INPUT_direct (1 references)
target     prot opt source               destination


Chain IN_TEST (2 references)
target     prot opt source               destination
IN_TEST_log  all  --  0.0.0.0/0            0.0.0.0/0
IN_TEST_deny  all  --  0.0.0.0/0            0.0.0.0/0
IN_TEST_allow  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0

Chain IN_TEST_allow (1 references)
target     prot opt source               destination

Chain IN_TEST_deny (1 references)
target     prot opt source               destination

Chain IN_TEST_log (1 references)
target     prot opt source               destination

Chain OUTPUT_direct (1 references)
target     prot opt source               destination



Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
PREROUTING_direct  all  --  0.0.0.0/0            0.0.0.0/0
PREROUTING_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0
PREROUTING_ZONES  all  --  0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
OUTPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
POSTROUTING_direct  all  --  0.0.0.0/0            0.0.0.0/0
POSTROUTING_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0
POSTROUTING_ZONES  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT_direct (1 references)
target     prot opt source               destination

Chain POSTROUTING_ZONES (1 references)
target     prot opt source               destination
POST_TEST  all  --  0.0.0.0/0            0.0.0.0/0           [goto]
POST_TEST  all  --  0.0.0.0/0            0.0.0.0/0           [goto]

Chain POSTROUTING_ZONES_SOURCE (1 references)
target     prot opt source               destination

Chain POSTROUTING_direct (1 references)
target     prot opt source               destination

Chain POST_TEST (2 references)
target     prot opt source               destination
POST_TEST_log  all  --  0.0.0.0/0            0.0.0.0/0
POST_TEST_deny  all  --  0.0.0.0/0            0.0.0.0/0
POST_TEST_allow  all  --  0.0.0.0/0            0.0.0.0/0

Chain POST_TEST_allow (1 references)
target     prot opt source               destination
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0

Chain POST_TEST_deny (1 references)
target     prot opt source               destination

Chain POST_TEST_log (1 references)
target     prot opt source               destination

Chain PREROUTING_ZONES (1 references)
target     prot opt source               destination
PRE_TEST   all  --  0.0.0.0/0            0.0.0.0/0           [goto]
PRE_TEST   all  --  0.0.0.0/0            0.0.0.0/0           [goto]

Chain PREROUTING_ZONES_SOURCE (1 references)
target     prot opt source               destination

Chain PREROUTING_direct (1 references)
target     prot opt source               destination

Chain PRE_TEST (2 references)
target     prot opt source               destination
PRE_TEST_log  all  --  0.0.0.0/0            0.0.0.0/0
PRE_TEST_deny  all  --  0.0.0.0/0            0.0.0.0/0
PRE_TEST_allow  all  --  0.0.0.0/0            0.0.0.0/0

Chain PRE_TEST_allow (1 references)
target     prot opt source               destination

Chain PRE_TEST_deny (1 references)
target     prot opt source               destination

Chain PRE_TEST_log (1 references)
target     prot opt source               destination

Masquerade / firewalld target : impacts on filtering?

2 Answers2