Code: Select all
I have a C8.2 host acting as both server (SMB, dhcp, http) and router between networks. All networks are private, no NAT needed. With firewalld turned off I can easy route traffic between networks (ssh, http, etc). With firewalld on no traffic will route.I have net.ipv4.ip_forward=1 set in /etc/sysctl.d/99-sysctl.conf. Without firewalld running traffic routes fine between eno1 and eno2.
Network block diagram:
Code: Select all
[host1:192.168.0.2]----[net1:192.168.0.0/24]-----[(eno1:192.168.0.254/24) C8.2server (eno2:10.0.0.1/24)]-------[net2:10.0.0.0/24]-----[host2:10.0.0.2]
internal (active)
target: default
icmp-block-inversion: no
interfaces: eno1 eno2
sources:
services: cockpit dhcp dhcpv6-client dns freeipa-ldap freeipa-ldaps http https kerberos ldap ldaps mdns ntp rsyncd samba samba-client ssh tftp
ports: 53/tcp 88/udp 464/udp 53/udp 123/udp 138/udp 139/udp 389/udp 445/udp 135/tcp 138/tcp 139/tcp 445/tcp 3268/tcp 1024-1300/tcp 8081/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Adding the below results in failed routing:
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eno1 -o eno2 -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eno2 -o eno1 -j ACCEPT
I have also tried the following, which also fails:
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eno1 -o eno2 -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eno2 -o eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT
I didn't use "permanent" because I'm trying to find what works...which so far is nothing. I don't need NAT because I'm all private and there's a main gateway elsewhere that does NAT for all traffic heading out.
What is the secret to getting routing to work?