This was the procedure I started this morning. It's probably something I should start after work.
I removed firewalld and rebooted the system.
I had two files in /etc/nftables that looked like this:
nftables_firewall.nft:
Code: Select all
#!/usr/sbin/nft -f
# firewall
table ip filter {
# allow all packets sent by the firewall machine itself
chain output {
type filter hook output priority 100; policy accept;
}
# allow LAN to firewall, disallow WAN to firewall
chain input {
type filter hook input priority 0; policy accept;
iifname "enp2s0" accept
iifname "enp3s0" drop
}
# allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection
chain forward {
type filter hook forward priority 0; policy drop;
iifname "enp2s0" oifname "enp3s0" accept
iifname "enp3s0" oifname "enp2s0" ct state related,established accept
}
}
nftables_nat.nft:
Code: Select all
#!/usr/sbin/nft -f
# NAT
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
}
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname "enp3s0" masquerade
}
}
I enabled forwarding manually with this:
Adding an entry to /etc/sysctl.d named 10-forwarding.conf to enable ip_forwarding.
I also added these two files to the /etc/sysconfig.d/nftables.conf file so they would load on boot. I then rebooted.
After reboot, I could see that ip fowarding was enabled, and my phone (on wifi) could access the Internet.
I realized I had ran out of time, so I didn't get a chance to really test things upstairs, but the one thing that did not work was the server didn't have any access to the Internet after I did this. ping 8.8.8.8 failed, etc. But my phone (downstairs) could get to the Internet, so that's cool, maybe? It's also possible that my phone was detecting no Internet access and switching to cellular. Will test this more tonight.
Regarding "zone drift" yes, possibly. I don't know if "zone drift" was allowing me to do something before, and then they locked it up, so that loophole is what's causing me issues or not. But in the firewalld.conf there's a switch called "AllowZoneDrifting" which, when enabled, does not fix my problem. There's also another feature called "AutomaticHelpers" which now defaults to "system" but I've also tried "yes" and "no" which did nothing.
It's also possible that "AllowZoneDrifting" might be in the .conf file, but not in 0.7.0_5 because on the firewalld.org page, they talk about removing the feature in one set of versions, which broke a lot of firewalls, so they added it back in as an option, but people need to move away from zone drifitng because it breaks the firewall security.
It doesn't seem like my simple use case, if configured properly, would bump up against "zone drifting" seeing as I have two zones, and they're very clearly delimited: internal is inside, external is outside. Two physical interfaces.