How to allow FORWARDing with firewalld on a Fedora 19 router

7

I've just installed Fedora 19 and I'm using firewalld instead of iptables, but I'm having difficulty interpretting the new terminology.

I have 2 NICs. One is specificed ZONE="internal" and the other "external" in the ifcfg-* files, I have set ipv4.forwarding = 1 in /etc/sysctl.conf, and run firewall-cmd --zone=external --add-masquerade

However, when I attempt to route from any machine on the internal network I'm getting Destination Host Prohibited and of course if I disable firewalld the error goes away but then I lose masquerading.

In iptables there was a ruleset called FORWARD, but in firewalld I can only find --add-port-forward which isn't the same thing.

How do I allow routing in firewalld ?

... I made some progress ...

# firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ens4 -o eth1 -j ACCEPT

Will allow routing, but its not persistent, and doesn't allow the --permanent option. How do I make this persistent accross reboots?

banjo67xxx

Posted 2013-10-05T12:07:40.600

Reputation: 251

3The current version of firewall-cmd should allow you to make this a --permanent rule. – Michael Hampton – 2014-07-05T20:39:56.203

Answers

8

Finally, I found the answer ...

# cat /etc/firewalld/direct.xml
<?xml version="1.0" encoding="utf-8"?>
<direct>
   [ <rule ipv="ipv4" table="filter" chain="FORWARD_direct" priority="0"> -i eth0 -o eth1 -j ACCEPT </rule> ]
</direct>

This feature appeared in firewalld-0.3.4-1.fc19 but there is no firewall-cmd support yet, and the man page was omitted, but it WORKS

Eventually found it in the following mailing list http://www.spinics.net/linux/fedora/fedora-security/msg01688.html

banjo67xxx

Posted 2013-10-05T12:07:40.600

Reputation: 251

chain="FORWARD" should be enough. As this rule is defined in direct.xml it will be transpiled as FORWARD_input – rhgb – 2015-12-29T01:52:55.977

0

As of Fedora25, this can be solved using the Firewalld Rich Rules. Firewalld Rich Rules are similar to iptables DSL, but promise much more flexibility.

They also follow chaining similar to iptables. More details can be found here:- https://fedoraproject.org/wiki/Features/FirewalldRichLanguage#firewalld_Rich_Language

ksinkar

Posted 2013-10-05T12:07:40.600

Reputation: 136

Asked: 2013-10-05T12:07:40.600

Viewed: 15 214 times

Active: 2016-11-25T08:36:57.493