I'm now on host that does not have internal or external zone in use. There is no masquerade and no routing. Lets play:
Code: Select all
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
$ sudo nft list ruleset > base
$ sudo firewall-cmd --zone=internal --add-source=192.168.0.0/32
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
$ sudo nft list ruleset > inter
$ sudo firewall-cmd --zone=external --add-source=192.168.1.0/32
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
$ sudo nft list ruleset > both
What did change? (I'll crop out unchanged parts.)
$ diff -y both base
Code: Select all
table inet firewalld { table inet firewalld {
ct helper helper-netbios-ns-udp { <
type "netbios-ns" protocol udp <
<
l3proto ip <
} <
<
chain raw_PREROUTING_ZONES_SOURCE { chain raw_PREROUTING_ZONES_SOURCE {
ip saddr 192.168.1.0 goto raw_PRE_external <
ip saddr 192.168.0.0 goto raw_PRE_internal <
} }
chain mangle_PREROUTING_ZONES_SOURCE { chain mangle_PREROUTING_ZONES_SOURCE {
ip saddr 192.168.1.0 goto mangle_PRE_external <
ip saddr 192.168.0.0 goto mangle_PRE_internal <
} }
chain filter_INPUT_ZONES_SOURCE { chain filter_INPUT_ZONES_SOURCE {
ip saddr 192.168.1.0 goto filter_IN_external <
ip saddr 192.168.0.0 goto filter_IN_internal <
} }
chain filter_FORWARD_IN_ZONES_SOURCE { chain filter_FORWARD_IN_ZONES_SOURCE {
ip saddr 192.168.1.0 goto filter_FWDI_externa <
ip saddr 192.168.0.0 goto filter_FWDI_interna <
} }
chain filter_FORWARD_OUT_ZONES_SOURCE { chain filter_FORWARD_OUT_ZONES_SOURCE {
ip daddr 192.168.1.0 goto filter_FWDO_externa <
ip daddr 192.168.0.0 goto filter_FWDO_interna <
} }
<
chain raw_PRE_internal { <
jump raw_PRE_internal_pre <
jump raw_PRE_internal_log <
jump raw_PRE_internal_deny <
jump raw_PRE_internal_allow <
jump raw_PRE_internal_post <
} <
<
chain raw_PRE_internal_pre { <
} <
<
chain raw_PRE_internal_log { <
} <
<
chain raw_PRE_internal_deny { <
} <
<
chain raw_PRE_internal_allow { <
} <
<
chain raw_PRE_internal_post { <
} <
<
chain filter_IN_internal { <
jump filter_IN_internal_pre <
jump filter_IN_internal_log <
jump filter_IN_internal_deny <
jump filter_IN_internal_allow <
jump filter_IN_internal_post <
meta l4proto { icmp, ipv6-icmp } accept <
} <
<
chain filter_IN_internal_pre { <
} <
<
chain filter_IN_internal_log { <
} <
<
chain filter_IN_internal_deny { <
} <
<
chain filter_IN_internal_allow { <
tcp dport ssh ct state new,untracked accept <
ip daddr 224.0.0.251 udp dport mdns ct state <
ip6 daddr ff02::fb udp dport mdns ct state ne <
udp dport netbios-ns ct helper set "helper-ne <
udp dport netbios-ns ct state new,untracked a <
udp dport netbios-dgm ct state new,untracked <
ip6 daddr fe80::/64 udp dport dhcpv6-client c <
tcp dport 9090 ct state new,untracked accept <
} <
<
chain filter_IN_internal_post { <
} <
<
chain filter_FWDI_internal { <
jump filter_FWDI_internal_pre <
jump filter_FWDI_internal_log <
jump filter_FWDI_internal_deny <
jump filter_FWDI_internal_allow <
jump filter_FWDI_internal_post <
meta l4proto { icmp, ipv6-icmp } accept <
} <
<
chain filter_FWDI_internal_pre { <
} <
<
chain filter_FWDI_internal_log { <
} <
<
chain filter_FWDI_internal_deny { <
} <
<
chain filter_FWDI_internal_allow { <
} <
<
chain filter_FWDI_internal_post { <
} <
<
chain mangle_PRE_internal { <
jump mangle_PRE_internal_pre <
jump mangle_PRE_internal_log <
jump mangle_PRE_internal_deny <
jump mangle_PRE_internal_allow <
jump mangle_PRE_internal_post <
} <
<
chain mangle_PRE_internal_pre { <
} <
<
chain mangle_PRE_internal_log { <
} <
<
chain mangle_PRE_internal_deny { <
} <
<
chain mangle_PRE_internal_allow { <
} <
<
chain mangle_PRE_internal_post { <
} <
<
chain filter_FWDO_internal { <
jump filter_FWDO_internal_pre <
jump filter_FWDO_internal_log <
jump filter_FWDO_internal_deny <
jump filter_FWDO_internal_allow <
jump filter_FWDO_internal_post <
} <
<
chain filter_FWDO_internal_pre { <
} <
<
chain filter_FWDO_internal_log { <
} <
<
chain filter_FWDO_internal_deny { <
} <
<
chain filter_FWDO_internal_allow { <
} <
<
chain filter_FWDO_internal_post { <
} <
<
chain raw_PRE_external { <
jump raw_PRE_external_pre <
jump raw_PRE_external_log <
jump raw_PRE_external_deny <
jump raw_PRE_external_allow <
jump raw_PRE_external_post <
} <
<
chain raw_PRE_external_pre { <
} <
<
chain raw_PRE_external_log { <
} <
<
chain raw_PRE_external_deny { <
} <
<
chain raw_PRE_external_allow { <
} <
<
chain raw_PRE_external_post { <
} <
<
chain filter_IN_external { <
jump filter_IN_external_pre <
jump filter_IN_external_log <
jump filter_IN_external_deny <
jump filter_IN_external_allow <
jump filter_IN_external_post <
meta l4proto { icmp, ipv6-icmp } accept <
} <
<
chain filter_IN_external_pre { <
} <
<
chain filter_IN_external_log { <
} <
<
chain filter_IN_external_deny { <
} <
<
chain filter_IN_external_allow { <
tcp dport ssh ct state new,untracked accept <
} <
<
chain filter_IN_external_post { <
} <
<
chain filter_FWDO_external { <
jump filter_FWDO_external_pre <
jump filter_FWDO_external_log <
jump filter_FWDO_external_deny <
jump filter_FWDO_external_allow <
jump filter_FWDO_external_post <
} <
<
chain filter_FWDO_external_pre { <
} <
<
chain filter_FWDO_external_log { <
} <
<
chain filter_FWDO_external_deny { <
} <
<
chain filter_FWDO_external_allow { <
ct state new,untracked accept <
} <
<
chain filter_FWDO_external_post { <
} <
<
chain filter_FWDI_external { <
jump filter_FWDI_external_pre <
jump filter_FWDI_external_log <
jump filter_FWDI_external_deny <
jump filter_FWDI_external_allow <
jump filter_FWDI_external_post <
meta l4proto { icmp, ipv6-icmp } accept <
} <
<
chain filter_FWDI_external_pre { <
} <
<
chain filter_FWDI_external_log { <
} <
<
chain filter_FWDI_external_deny { <
} <
<
chain filter_FWDI_external_allow { <
} <
<
chain filter_FWDI_external_post { <
} <
<
chain mangle_PRE_external { <
jump mangle_PRE_external_pre <
jump mangle_PRE_external_log <
jump mangle_PRE_external_deny <
jump mangle_PRE_external_allow <
jump mangle_PRE_external_post <
} <
<
chain mangle_PRE_external_pre { <
} <
<
chain mangle_PRE_external_log { <
} <
<
chain mangle_PRE_external_deny { <
} <
<
chain mangle_PRE_external_allow { <
} <
<
chain mangle_PRE_external_post { <
} <
} }
table ip firewalld { table ip firewalld {
chain nat_PREROUTING_ZONES_SOURCE { chain nat_PREROUTING_ZONES_SOURCE {
ip saddr 192.168.1.0 goto nat_PRE_external <
ip saddr 192.168.0.0 goto nat_PRE_internal <
} }
chain nat_POSTROUTING_ZONES_SOURCE { chain nat_POSTROUTING_ZONES_SOURCE {
ip daddr 192.168.1.0 goto nat_POST_external <
ip daddr 192.168.0.0 goto nat_POST_internal <
} }
<
chain nat_PRE_internal { <
jump nat_PRE_internal_pre <
jump nat_PRE_internal_log <
jump nat_PRE_internal_deny <
jump nat_PRE_internal_allow <
jump nat_PRE_internal_post <
} <
<
chain nat_PRE_internal_pre { <
} <
<
chain nat_PRE_internal_log { <
} <
<
chain nat_PRE_internal_deny { <
} <
<
chain nat_PRE_internal_allow { <
} <
<
chain nat_PRE_internal_post { <
} <
<
chain nat_POST_internal { <
jump nat_POST_internal_pre <
jump nat_POST_internal_log <
jump nat_POST_internal_deny <
jump nat_POST_internal_allow <
jump nat_POST_internal_post <
} <
<
chain nat_POST_internal_pre { <
} <
<
chain nat_POST_internal_log { <
} <
<
chain nat_POST_internal_deny { <
} <
<
chain nat_POST_internal_allow { <
} <
<
chain nat_POST_internal_post { <
} <
<
chain nat_POST_external { <
jump nat_POST_external_pre <
jump nat_POST_external_log <
jump nat_POST_external_deny <
jump nat_POST_external_allow <
jump nat_POST_external_post <
} <
<
chain nat_POST_external_pre { <
} <
<
chain nat_POST_external_log { <
} <
<
chain nat_POST_external_deny { <
} <
<
chain nat_POST_external_allow { <
oifname != "lo" masquerade <
} <
<
chain nat_POST_external_post { <
} <
<
chain nat_PRE_external { <
jump nat_PRE_external_pre <
jump nat_PRE_external_log <
jump nat_PRE_external_deny <
jump nat_PRE_external_allow <
jump nat_PRE_external_post <
} <
<
chain nat_PRE_external_pre { <
} <
<
chain nat_PRE_external_log { <
} <
<
chain nat_PRE_external_deny { <
} <
<
chain nat_PRE_external_allow { <
} <
<
chain nat_PRE_external_post { <
} <
} }
I did crop the ip6 table as well, because while chains were added, they are not referenced. (IPv4 source does not affect IPv6 traffic.)
2. There is only one masquerade (for IPv4), in chain nat_POST_external_allow of table ip firewalld.
Therefore, firewalld does not create redundancies by itself. You must have created them with direct rules.
3. The effective FORWARD filter for outbound traffic is:
Code: Select all
ct state established,related accept ##
ct status dnat accept
iifname "lo" accept
meta l4proto { icmp, ipv6-icmp } accept ##
ct state new,untracked accept ##
ct state invalid drop
reject with icmpx type admin-prohibited
Code: Select all
ct state established,related accept ##
ct status dnat accept
iifname "lo" accept
meta l4proto { icmp, ipv6-icmp } accept ##
ct state invalid drop
reject with icmpx type admin-prohibited
All that looks logical. What else have you done?
Direct rules are not in any zone, but can be listed (except some passthroughs):
Code: Select all
sudo firewall-cmd --permanent --direct --get-all-chains
sudo firewall-cmd --permanent --direct --get-all-rules
sudo firewall-cmd --permanent --direct --get-all-passthroughs
You have changed targets of zones:
Code: Select all
external (active)
target: %%REJECT%%
internal (active)
target: ACCEPT
You can make backup of those. Then remove and start from scratch, if needed. (I would.)
I would also have first "ssh http https imap imaps smtp smtps" on the 'external' (and no rich rule). Then:
Code: Select all
sudo firewall-cmd --permanent --new-zone-from-file=/etc/firewalld/zones/external.xml --name=friends
sudo firewall-cmd --permanent --zone=friends --add-source=205.166.94.0/24
sudo firewall-cmd --permanent --zone=external --remove-service=ssh
sudo firewall-cmd --reload
Red Hat does describe the use of firewalld in RHEL online documentation, but that does not add much after man pages.
[edit] Realized that masquerade on source-only-based zone might be bad. Hence:
Code: Select all
sudo firewall-cmd --permanent --zone=friends --remove-masquerade