firewall-cmd Port Forwarding Not Reflected In iptables Rules

Issues related to configuring your network
Post Reply
ElToro
Posts: 3
Joined: 2020/03/25 09:48:33

firewall-cmd Port Forwarding Not Reflected In iptables Rules

Post by ElToro » 2020/03/25 10:05:40

I have the following setup in firewall-cmd:

Code: Select all

$ sudo firewall-cmd --list-all-zones
block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

dmz
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

drop
  target: DROP
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

external (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s20u1
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: port=1119:proto=tcp:toport=:toaddr=10.0.0.221
	port=1120:proto=tcp:toport=:toaddr=10.0.0.221
	port=3074:proto=udp:toport=:toaddr=10.0.0.221
	port=3097:proto=udp:toport=:toaddr=10.0.0.221
	port=25565:proto=tcp:toport=:toaddr=10.0.0.225
	port=25565:proto=udp:toport=:toaddr=10.0.0.225
	port=19133:proto=udp:toport=:toaddr=10.0.0.225
	port=19132:proto=udp:toport=:toaddr=10.0.0.225
	port=44310:proto=udp:toport=:toaddr=10.0.0.11
	port=44310:proto=tcp:toport=:toaddr=10.0.0.11
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

home
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: cockpit dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

internal (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp2s0
  sources: 
  services: cockpit dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

libvirt (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: virbr0
  sources: 
  services: dhcp dhcpv6 dns ssh tftp
  ports: 
  protocols: icmp ipv6-icmp
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule priority="32767" reject

public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

trusted
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

work
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
After adding the port forwarding, I set the runtime to permanent and reloaded (I even rebooted and checked the firewall-cmd external zone again):

Code: Select all

sudo firewall-cmd --runtime-to-permanent
sudo firewall-cmd --reload 
The port forwarding in the external zone is not reflected in iptables:

Code: Select all

$ sudo iptables -t filter -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i enp2s0 -o enp0s20u1 -j ACCEPT
-A FORWARD -i enp0s20u1 -o enp2s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT

$ sudo iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -o enp0s20u1 -j MASQUERADE

$ sudo iptables -t mangle -S
[sudo] password for router: 
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
I am fairly new to firewall-cmd, so I am surely missing something. Any help much appreciated :)

User avatar
TrevorH
Forum Moderator
Posts: 28033
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: firewall-cmd Port Forwarding Not Reflected In iptables Rules

Post by TrevorH » 2020/03/25 10:18:07

Post the output from iptables-save
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

ElToro
Posts: 3
Joined: 2020/03/25 09:48:33

Re: firewall-cmd Port Forwarding Not Reflected In iptables Rules

Post by ElToro » 2020/03/25 10:26:35

Here it is:

Code: Select all

$ sudo iptables-save
# Generated by xtables-save v1.8.2 on Fri Jun 22 13:39:49 2018
*filter
:INPUT ACCEPT [1453:144537]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [657:95445]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i enp2s0 -o enp0s20u1 -j ACCEPT
-A FORWARD -i enp0s20u1 -o enp2s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
COMMIT
# Completed on Fri Jun 22 13:39:49 2018
# Generated by xtables-save v1.8.2 on Fri Jun 22 13:39:49 2018
*security
:INPUT ACCEPT [710:59690]
:FORWARD ACCEPT [522067:261313053]
:OUTPUT ACCEPT [657:95445]
COMMIT
# Completed on Fri Jun 22 13:39:49 2018
# Generated by xtables-save v1.8.2 on Fri Jun 22 13:39:49 2018
*raw
:PREROUTING ACCEPT [523747:261473806]
:OUTPUT ACCEPT [657:95445]
COMMIT
# Completed on Fri Jun 22 13:39:49 2018
# Generated by xtables-save v1.8.2 on Fri Jun 22 13:39:49 2018
*mangle
:PREROUTING ACCEPT [523747:261473806]
:INPUT ACCEPT [1453:144537]
:FORWARD ACCEPT [522215:261321682]
:OUTPUT ACCEPT [657:95445]
:POSTROUTING ACCEPT [522752:261412420]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Fri Jun 22 13:39:49 2018
# Generated by xtables-save v1.8.2 on Fri Jun 22 13:39:49 2018
*nat
:PREROUTING ACCEPT [2863:256561]
:INPUT ACCEPT [37:4015]
:POSTROUTING ACCEPT [10:597]
:OUTPUT ACCEPT [26:1665]
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -o enp0s20u1 -j MASQUERADE
COMMIT
# Completed on Fri Jun 22 13:39:49 2018
# Table `firewalld' is incompatible, use 'nft' tool.
The changes via firewall-cmd were made today, so these are only old changes...

User avatar
jlehtone
Posts: 2589
Joined: 2007/12/11 08:17:33
Location: Finland

Re: firewall-cmd Port Forwarding Not Reflected In iptables Rules

Post by jlehtone » 2020/03/25 14:50:10

CentOS 8 does not have "iptables" in the kernel. Kernel has only "nftables".

The userland tool to see nftables content is "nft". Firewalld uses nft to write nftables rules.

Code: Select all

sudo nft list ruleset
There is still tool "iptables" but it is just a wrapper for nft. Firewalld and iptables do not write to same tables.

User avatar
TrevorH
Forum Moderator
Posts: 28033
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: firewall-cmd Port Forwarding Not Reflected In iptables Rules

Post by TrevorH » 2020/03/25 15:20:58

But iptables-save looks at nftables and should show the rules (but didn't in this case). In fact none of the iptables-save rules looked like they were in firewall-cmd output - they apepar to be totally disconnected which is odd.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

User avatar
jlehtone
Posts: 2589
Joined: 2007/12/11 08:17:33
Location: Finland

Re: firewall-cmd Port Forwarding Not Reflected In iptables Rules

Post by jlehtone » 2020/03/25 15:42:30

If you boot with no firewalling service, then nftables will have no tables in it.

If you then run a simple "iptables -S" to read, it will create (empty) tables, where the wrapper would add iptables-syntax rules.

When firewalld starts, it does create these tables:

Code: Select all

table ip filter
table ip6 filter
table bridge filter
table ip security
table ip raw
table ip mangle
table ip nat
table ip6 security
table ip6 raw
table ip6 mangle
table ip6 nat
table bridge nat
table inet firewalld
table ip firewalld
table ip6 firewalld
The last three tables are for "regular" firewalld-content. The other are tables are same, which the wrapper writes to, because firewall-cmd still uses the wrapper to inject "direct" and "passthrough" rules with iptables.

Two things:
1. What a mess.

2. Multiple tables can have a chain for same hook, like "forward filter". Chains have priority. I can't grok from the nftables documentation how that is supposed to function.

Code: Select all

table ip filter {
	chain FORWARD {
		type filter hook forward priority 0; policy accept;

table ip6 filter {
	chain FORWARD {
		type filter hook forward priority 0; policy accept;

table bridge filter {
	chain FORWARD {
		type filter hook forward priority -200; policy accept;

table ip security {
	chain FORWARD {
		type filter hook forward priority 150; policy accept;

table ip mangle {
	chain FORWARD {
		type filter hook forward priority -150; policy accept;

table ip6 security {
	chain FORWARD {
		type filter hook forward priority 150; policy accept;

table ip6 mangle {
	chain FORWARD {
		type filter hook forward priority -150; policy accept;

table inet firewalld {
	chain filter_FORWARD {
		type filter hook forward priority 10; policy accept;

ElToro
Posts: 3
Joined: 2020/03/25 09:48:33

Re: firewall-cmd Port Forwarding Not Reflected In iptables Rules

Post by ElToro » 2020/03/25 18:53:43

jlehtone wrote:
2020/03/25 14:50:10
CentOS 8 does not have "iptables" in the kernel. Kernel has only "nftables".

The userland tool to see nftables content is "nft". Firewalld uses nft to write nftables rules.

Code: Select all

sudo nft list ruleset
There is still tool "iptables" but it is just a wrapper for nft. Firewalld and iptables do not write to same tables.
The output from nft list ruleset contains forwarding rules:

Code: Select all

table ip firewalld {
	...
	chain nat_PRE_external_allow {
		tcp dport 1119 dnat to 10.0.0.221
		tcp dport 1120 dnat to 10.0.0.221
		udp dport 3074 dnat to 10.0.0.221
		udp dport 3097 dnat to 10.0.0.221
		tcp dport 25565 dnat to 10.0.0.225
		udp dport 25565 dnat to 10.0.0.225
		udp dport 19133 dnat to 10.0.0.225
		udp dport 19132 dnat to 10.0.0.225
		udp dport 44310 dnat to 10.0.0.11
		tcp dport 44310 dnat to 10.0.0.11
	}
        ...
The whole output:

Code: Select all

$ sudo nft list ruleset
[sudo] password for router: 
table ip filter {
	chain INPUT {
		type filter hook input priority 0; policy accept;
		iifname "virbr0" meta l4proto udp udp dport 53 counter packets 0 bytes 0 accept
		iifname "virbr0" meta l4proto tcp tcp dport 53 counter packets 0 bytes 0 accept
		iifname "virbr0" meta l4proto udp udp dport 67 counter packets 0 bytes 0 accept
		iifname "virbr0" meta l4proto tcp tcp dport 67 counter packets 0 bytes 0 accept
	}

	chain FORWARD {
		type filter hook forward priority 0; policy accept;
		oifname "virbr0" ip daddr 192.168.122.0/24 ct state related,established counter packets 0 bytes 0 accept
		iifname "virbr0" ip saddr 192.168.122.0/24 counter packets 0 bytes 0 accept
		iifname "virbr0" oifname "virbr0" counter packets 0 bytes 0 accept
		oifname "virbr0" counter packets 0 bytes 0 reject
		iifname "virbr0" counter packets 0 bytes 0 reject
		iifname "enp2s0" oifname "enp0s20u1" counter packets 7895279 bytes 1672143468 accept
		iifname "enp0s20u1" oifname "enp2s0" ct state related,established counter packets 10465407 bytes 11327638201 accept
	}

	chain OUTPUT {
		type filter hook output priority 0; policy accept;
		oifname "virbr0" meta l4proto udp udp dport 68 counter packets 0 bytes 0 accept
	}
}
table ip6 filter {
	chain INPUT {
		type filter hook input priority 0; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority 0; policy accept;
	}

	chain OUTPUT {
		type filter hook output priority 0; policy accept;
	}
}
table bridge filter {
	chain INPUT {
		type filter hook input priority -200; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority -200; policy accept;
	}

	chain OUTPUT {
		type filter hook output priority -200; policy accept;
	}
}
table ip security {
	chain INPUT {
		type filter hook input priority 150; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority 150; policy accept;
	}

	chain OUTPUT {
		type filter hook output priority 150; policy accept;
	}
}
table ip raw {
	chain PREROUTING {
		type filter hook prerouting priority -300; policy accept;
	}

	chain OUTPUT {
		type filter hook output priority -300; policy accept;
	}
}
table ip mangle {
	chain PREROUTING {
		type filter hook prerouting priority -150; policy accept;
	}

	chain INPUT {
		type filter hook input priority -150; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority -150; policy accept;
	}

	chain OUTPUT {
		type route hook output priority -150; policy accept;
	}

	chain POSTROUTING {
		type filter hook postrouting priority -150; policy accept;
		oifname "virbr0" meta l4proto udp udp dport 68 counter packets 0 bytes 0 # CHECKSUM fill
	}
}
table ip nat {
	chain PREROUTING {
		type nat hook prerouting priority -100; policy accept;
	}

	chain INPUT {
		type nat hook input priority 100; policy accept;
	}

	chain POSTROUTING {
		type nat hook postrouting priority 100; policy accept;
		ip saddr 192.168.122.0/24 ip daddr 224.0.0.0/24 counter packets 2 bytes 159 return
		ip saddr 192.168.122.0/24 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
		meta l4proto tcp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade to :1024-65535 
		meta l4proto udp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade to :1024-65535 
		ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade 
		oifname "enp0s20u1" counter packets 31391 bytes 3415807 masquerade 
	}

	chain OUTPUT {
		type nat hook output priority -100; policy accept;
	}
}
table ip6 security {
	chain INPUT {
		type filter hook input priority 150; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority 150; policy accept;
	}

	chain OUTPUT {
		type filter hook output priority 150; policy accept;
	}
}
table ip6 raw {
	chain PREROUTING {
		type filter hook prerouting priority -300; policy accept;
	}

	chain OUTPUT {
		type filter hook output priority -300; policy accept;
	}
}
table ip6 mangle {
	chain PREROUTING {
		type filter hook prerouting priority -150; policy accept;
	}

	chain INPUT {
		type filter hook input priority -150; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority -150; policy accept;
	}

	chain OUTPUT {
		type route hook output priority -150; policy accept;
	}

	chain POSTROUTING {
		type filter hook postrouting priority -150; policy accept;
	}
}
table ip6 nat {
	chain PREROUTING {
		type nat hook prerouting priority -100; policy accept;
	}

	chain INPUT {
		type nat hook input priority 100; policy accept;
	}

	chain POSTROUTING {
		type nat hook postrouting priority 100; policy accept;
	}

	chain OUTPUT {
		type nat hook output priority -100; policy accept;
	}
}
table bridge nat {
	chain PREROUTING {
		type filter hook prerouting priority -300; policy accept;
	}

	chain OUTPUT {
		type filter hook output priority 100; policy accept;
	}

	chain POSTROUTING {
		type filter hook postrouting priority 300; policy accept;
	}
}
table inet firewalld {
	ct helper helper-tftp-udp {
		type "tftp" protocol udp

		l3proto inet
	}

	ct helper helper-netbios-ns-udp {
		type "netbios-ns" protocol udp

		l3proto ip
	}

	chain raw_PREROUTING {
		type filter hook prerouting priority -290; policy accept;
		icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
		meta nfproto ipv6 fib saddr . iif oif missing drop
		jump raw_PREROUTING_ZONES
	}

	chain raw_PREROUTING_ZONES {
		iifname "enp2s0" goto raw_PRE_internal
		iifname "enp0s20u1" goto raw_PRE_external
		iifname "virbr0" goto raw_PRE_libvirt
		goto raw_PRE_public
	}

	chain mangle_PREROUTING {
		type filter hook prerouting priority -140; policy accept;
		jump mangle_PREROUTING_ZONES
	}

	chain mangle_PREROUTING_ZONES {
		iifname "enp2s0" goto mangle_PRE_internal
		iifname "enp0s20u1" goto mangle_PRE_external
		iifname "virbr0" goto mangle_PRE_libvirt
		goto mangle_PRE_public
	}

	chain filter_INPUT {
		type filter hook input priority 10; policy accept;
		ct state established,related accept
		ct status dnat accept
		iifname "lo" accept
		jump filter_INPUT_ZONES
		ct state invalid drop
		reject with icmpx type admin-prohibited
	}

	chain filter_FORWARD {
		type filter hook forward priority 10; policy accept;
		ct state established,related accept
		ct status dnat accept
		iifname "lo" accept
		ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
		jump filter_FORWARD_IN_ZONES
		jump filter_FORWARD_OUT_ZONES
		ct state invalid drop
		reject with icmpx type admin-prohibited
	}

	chain filter_OUTPUT {
		type filter hook output priority 10; policy accept;
		oifname "lo" accept
		ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
	}

	chain filter_INPUT_ZONES {
		iifname "enp2s0" goto filter_IN_internal
		iifname "enp0s20u1" goto filter_IN_external
		iifname "virbr0" goto filter_IN_libvirt
		goto filter_IN_public
	}

	chain filter_FORWARD_IN_ZONES {
		iifname "enp2s0" goto filter_FWDI_internal
		iifname "enp0s20u1" goto filter_FWDI_external
		iifname "virbr0" goto filter_FWDI_libvirt
		goto filter_FWDI_public
	}

	chain filter_FORWARD_OUT_ZONES {
		oifname "enp2s0" goto filter_FWDO_internal
		oifname "enp0s20u1" goto filter_FWDO_external
		oifname "virbr0" goto filter_FWDO_libvirt
		goto filter_FWDO_public
	}

	chain raw_PRE_libvirt {
		jump raw_PRE_libvirt_pre
		jump raw_PRE_libvirt_log
		jump raw_PRE_libvirt_deny
		jump raw_PRE_libvirt_allow
		jump raw_PRE_libvirt_post
	}

	chain raw_PRE_libvirt_pre {
	}

	chain raw_PRE_libvirt_log {
	}

	chain raw_PRE_libvirt_deny {
	}

	chain raw_PRE_libvirt_allow {
	}

	chain raw_PRE_libvirt_post {
	}

	chain filter_IN_libvirt {
		jump filter_IN_libvirt_pre
		jump filter_IN_libvirt_log
		jump filter_IN_libvirt_deny
		jump filter_IN_libvirt_allow
		jump filter_IN_libvirt_post
		accept
	}

	chain filter_IN_libvirt_pre {
	}

	chain filter_IN_libvirt_log {
	}

	chain filter_IN_libvirt_deny {
	}

	chain filter_IN_libvirt_allow {
		udp dport bootps ct state new,untracked accept
		udp dport dhcpv6-server ct state new,untracked accept
		tcp dport domain ct state new,untracked accept
		udp dport domain ct state new,untracked accept
		tcp dport ssh ct state new,untracked accept
		udp dport tftp ct helper set "helper-tftp-udp"
		udp dport tftp ct state new,untracked accept
		meta l4proto icmp ct state new,untracked accept
		meta l4proto ipv6-icmp ct state new,untracked accept
	}

	chain filter_IN_libvirt_post {
		reject
	}

	chain mangle_PRE_libvirt {
		jump mangle_PRE_libvirt_pre
		jump mangle_PRE_libvirt_log
		jump mangle_PRE_libvirt_deny
		jump mangle_PRE_libvirt_allow
		jump mangle_PRE_libvirt_post
	}

	chain mangle_PRE_libvirt_pre {
	}

	chain mangle_PRE_libvirt_log {
	}

	chain mangle_PRE_libvirt_deny {
	}

	chain mangle_PRE_libvirt_allow {
	}

	chain mangle_PRE_libvirt_post {
	}

	chain filter_FWDI_libvirt {
		jump filter_FWDI_libvirt_pre
		jump filter_FWDI_libvirt_log
		jump filter_FWDI_libvirt_deny
		jump filter_FWDI_libvirt_allow
		jump filter_FWDI_libvirt_post
		accept
	}

	chain filter_FWDI_libvirt_pre {
	}

	chain filter_FWDI_libvirt_log {
	}

	chain filter_FWDI_libvirt_deny {
	}

	chain filter_FWDI_libvirt_allow {
	}

	chain filter_FWDI_libvirt_post {
	}

	chain filter_FWDO_libvirt {
		jump filter_FWDO_libvirt_pre
		jump filter_FWDO_libvirt_log
		jump filter_FWDO_libvirt_deny
		jump filter_FWDO_libvirt_allow
		jump filter_FWDO_libvirt_post
		accept
	}

	chain filter_FWDO_libvirt_pre {
	}

	chain filter_FWDO_libvirt_log {
	}

	chain filter_FWDO_libvirt_deny {
	}

	chain filter_FWDO_libvirt_allow {
	}

	chain filter_FWDO_libvirt_post {
	}

	chain raw_PRE_public {
		jump raw_PRE_public_pre
		jump raw_PRE_public_log
		jump raw_PRE_public_deny
		jump raw_PRE_public_allow
		jump raw_PRE_public_post
	}

	chain raw_PRE_public_pre {
	}

	chain raw_PRE_public_log {
	}

	chain raw_PRE_public_deny {
	}

	chain raw_PRE_public_allow {
	}

	chain raw_PRE_public_post {
	}

	chain filter_IN_public {
		jump filter_IN_public_pre
		jump filter_IN_public_log
		jump filter_IN_public_deny
		jump filter_IN_public_allow
		jump filter_IN_public_post
		meta l4proto { icmp, ipv6-icmp } accept
	}

	chain filter_IN_public_pre {
	}

	chain filter_IN_public_log {
	}

	chain filter_IN_public_deny {
	}

	chain filter_IN_public_allow {
		tcp dport ssh ct state new,untracked accept
		ip6 daddr fe80::/64 udp dport dhcpv6-client ct state new,untracked accept
		tcp dport 9090 ct state new,untracked accept
	}

	chain filter_IN_public_post {
	}

	chain filter_FWDI_public {
		jump filter_FWDI_public_pre
		jump filter_FWDI_public_log
		jump filter_FWDI_public_deny
		jump filter_FWDI_public_allow
		jump filter_FWDI_public_post
		meta l4proto { icmp, ipv6-icmp } accept
	}

	chain filter_FWDI_public_pre {
	}

	chain filter_FWDI_public_log {
	}

	chain filter_FWDI_public_deny {
	}

	chain filter_FWDI_public_allow {
	}

	chain filter_FWDI_public_post {
	}

	chain mangle_PRE_public {
		jump mangle_PRE_public_pre
		jump mangle_PRE_public_log
		jump mangle_PRE_public_deny
		jump mangle_PRE_public_allow
		jump mangle_PRE_public_post
	}

	chain mangle_PRE_public_pre {
	}

	chain mangle_PRE_public_log {
	}

	chain mangle_PRE_public_deny {
	}

	chain mangle_PRE_public_allow {
	}

	chain mangle_PRE_public_post {
	}

	chain filter_FWDO_public {
		jump filter_FWDO_public_pre
		jump filter_FWDO_public_log
		jump filter_FWDO_public_deny
		jump filter_FWDO_public_allow
		jump filter_FWDO_public_post
	}

	chain filter_FWDO_public_pre {
	}

	chain filter_FWDO_public_log {
	}

	chain filter_FWDO_public_deny {
	}

	chain filter_FWDO_public_allow {
	}

	chain filter_FWDO_public_post {
	}

	chain raw_PRE_external {
		jump raw_PRE_external_pre
		jump raw_PRE_external_log
		jump raw_PRE_external_deny
		jump raw_PRE_external_allow
		jump raw_PRE_external_post
	}

	chain raw_PRE_external_pre {
	}

	chain raw_PRE_external_log {
	}

	chain raw_PRE_external_deny {
	}

	chain raw_PRE_external_allow {
	}

	chain raw_PRE_external_post {
	}

	chain filter_IN_external {
		jump filter_IN_external_pre
		jump filter_IN_external_log
		jump filter_IN_external_deny
		jump filter_IN_external_allow
		jump filter_IN_external_post
		meta l4proto { icmp, ipv6-icmp } accept
	}

	chain filter_IN_external_pre {
	}

	chain filter_IN_external_log {
	}

	chain filter_IN_external_deny {
	}

	chain filter_IN_external_allow {
		tcp dport ssh ct state new,untracked accept
	}

	chain filter_IN_external_post {
	}

	chain filter_FWDO_external {
		jump filter_FWDO_external_pre
		jump filter_FWDO_external_log
		jump filter_FWDO_external_deny
		jump filter_FWDO_external_allow
		jump filter_FWDO_external_post
	}

	chain filter_FWDO_external_pre {
	}

	chain filter_FWDO_external_log {
	}

	chain filter_FWDO_external_deny {
	}

	chain filter_FWDO_external_allow {
		ct state new,untracked accept
	}

	chain filter_FWDO_external_post {
	}

	chain filter_FWDI_external {
		jump filter_FWDI_external_pre
		jump filter_FWDI_external_log
		jump filter_FWDI_external_deny
		jump filter_FWDI_external_allow
		jump filter_FWDI_external_post
		meta l4proto { icmp, ipv6-icmp } accept
	}

	chain filter_FWDI_external_pre {
	}

	chain filter_FWDI_external_log {
	}

	chain filter_FWDI_external_deny {
	}

	chain filter_FWDI_external_allow {
	}

	chain filter_FWDI_external_post {
	}

	chain mangle_PRE_external {
		jump mangle_PRE_external_pre
		jump mangle_PRE_external_log
		jump mangle_PRE_external_deny
		jump mangle_PRE_external_allow
		jump mangle_PRE_external_post
	}

	chain mangle_PRE_external_pre {
	}

	chain mangle_PRE_external_log {
	}

	chain mangle_PRE_external_deny {
	}

	chain mangle_PRE_external_allow {
	}

	chain mangle_PRE_external_post {
	}

	chain raw_PRE_internal {
		jump raw_PRE_internal_pre
		jump raw_PRE_internal_log
		jump raw_PRE_internal_deny
		jump raw_PRE_internal_allow
		jump raw_PRE_internal_post
	}

	chain raw_PRE_internal_pre {
	}

	chain raw_PRE_internal_log {
	}

	chain raw_PRE_internal_deny {
	}

	chain raw_PRE_internal_allow {
	}

	chain raw_PRE_internal_post {
	}

	chain filter_IN_internal {
		jump filter_IN_internal_pre
		jump filter_IN_internal_log
		jump filter_IN_internal_deny
		jump filter_IN_internal_allow
		jump filter_IN_internal_post
		meta l4proto { icmp, ipv6-icmp } accept
	}

	chain filter_IN_internal_pre {
	}

	chain filter_IN_internal_log {
	}

	chain filter_IN_internal_deny {
	}

	chain filter_IN_internal_allow {
		tcp dport ssh ct state new,untracked accept
		ip daddr 224.0.0.251 udp dport mdns ct state new,untracked accept
		ip6 daddr ff02::fb udp dport mdns ct state new,untracked accept
		udp dport netbios-ns ct helper set "helper-netbios-ns-udp"
		udp dport netbios-ns ct state new,untracked accept
		udp dport netbios-dgm ct state new,untracked accept
		ip6 daddr fe80::/64 udp dport dhcpv6-client ct state new,untracked accept
		tcp dport 9090 ct state new,untracked accept
	}

	chain filter_IN_internal_post {
	}

	chain filter_FWDI_internal {
		jump filter_FWDI_internal_pre
		jump filter_FWDI_internal_log
		jump filter_FWDI_internal_deny
		jump filter_FWDI_internal_allow
		jump filter_FWDI_internal_post
		meta l4proto { icmp, ipv6-icmp } accept
	}

	chain filter_FWDI_internal_pre {
	}

	chain filter_FWDI_internal_log {
	}

	chain filter_FWDI_internal_deny {
	}

	chain filter_FWDI_internal_allow {
	}

	chain filter_FWDI_internal_post {
	}

	chain mangle_PRE_internal {
		jump mangle_PRE_internal_pre
		jump mangle_PRE_internal_log
		jump mangle_PRE_internal_deny
		jump mangle_PRE_internal_allow
		jump mangle_PRE_internal_post
	}

	chain mangle_PRE_internal_pre {
	}

	chain mangle_PRE_internal_log {
	}

	chain mangle_PRE_internal_deny {
	}

	chain mangle_PRE_internal_allow {
	}

	chain mangle_PRE_internal_post {
	}

	chain filter_FWDO_internal {
		jump filter_FWDO_internal_pre
		jump filter_FWDO_internal_log
		jump filter_FWDO_internal_deny
		jump filter_FWDO_internal_allow
		jump filter_FWDO_internal_post
	}

	chain filter_FWDO_internal_pre {
	}

	chain filter_FWDO_internal_log {
	}

	chain filter_FWDO_internal_deny {
	}

	chain filter_FWDO_internal_allow {
	}

	chain filter_FWDO_internal_post {
	}
}
table ip firewalld {
	chain nat_PREROUTING {
		type nat hook prerouting priority -90; policy accept;
		jump nat_PREROUTING_ZONES
	}

	chain nat_PREROUTING_ZONES {
		iifname "enp2s0" goto nat_PRE_internal
		iifname "enp0s20u1" goto nat_PRE_external
		iifname "virbr0" goto nat_PRE_libvirt
		goto nat_PRE_public
	}

	chain nat_POSTROUTING {
		type nat hook postrouting priority 110; policy accept;
		jump nat_POSTROUTING_ZONES
	}

	chain nat_POSTROUTING_ZONES {
		oifname "enp2s0" goto nat_POST_internal
		oifname "enp0s20u1" goto nat_POST_external
		oifname "virbr0" goto nat_POST_libvirt
		goto nat_POST_public
	}

	chain nat_PRE_libvirt {
		jump nat_PRE_libvirt_pre
		jump nat_PRE_libvirt_log
		jump nat_PRE_libvirt_deny
		jump nat_PRE_libvirt_allow
		jump nat_PRE_libvirt_post
	}

	chain nat_PRE_libvirt_pre {
	}

	chain nat_PRE_libvirt_log {
	}

	chain nat_PRE_libvirt_deny {
	}

	chain nat_PRE_libvirt_allow {
	}

	chain nat_PRE_libvirt_post {
	}

	chain nat_POST_libvirt {
		jump nat_POST_libvirt_pre
		jump nat_POST_libvirt_log
		jump nat_POST_libvirt_deny
		jump nat_POST_libvirt_allow
		jump nat_POST_libvirt_post
	}

	chain nat_POST_libvirt_pre {
	}

	chain nat_POST_libvirt_log {
	}

	chain nat_POST_libvirt_deny {
	}

	chain nat_POST_libvirt_allow {
	}

	chain nat_POST_libvirt_post {
	}

	chain nat_PRE_public {
		jump nat_PRE_public_pre
		jump nat_PRE_public_log
		jump nat_PRE_public_deny
		jump nat_PRE_public_allow
		jump nat_PRE_public_post
	}

	chain nat_PRE_public_pre {
	}

	chain nat_PRE_public_log {
	}

	chain nat_PRE_public_deny {
	}

	chain nat_PRE_public_allow {
	}

	chain nat_PRE_public_post {
	}

	chain nat_POST_public {
		jump nat_POST_public_pre
		jump nat_POST_public_log
		jump nat_POST_public_deny
		jump nat_POST_public_allow
		jump nat_POST_public_post
	}

	chain nat_POST_public_pre {
	}

	chain nat_POST_public_log {
	}

	chain nat_POST_public_deny {
	}

	chain nat_POST_public_allow {
	}

	chain nat_POST_public_post {
	}

	chain nat_POST_external {
		jump nat_POST_external_pre
		jump nat_POST_external_log
		jump nat_POST_external_deny
		jump nat_POST_external_allow
		jump nat_POST_external_post
	}

	chain nat_POST_external_pre {
	}

	chain nat_POST_external_log {
	}

	chain nat_POST_external_deny {
	}

	chain nat_POST_external_allow {
		oifname != "lo" masquerade
	}

	chain nat_POST_external_post {
	}

	chain nat_PRE_external {
		jump nat_PRE_external_pre
		jump nat_PRE_external_log
		jump nat_PRE_external_deny
		jump nat_PRE_external_allow
		jump nat_PRE_external_post
	}

	chain nat_PRE_external_pre {
	}

	chain nat_PRE_external_log {
	}

	chain nat_PRE_external_deny {
	}

	chain nat_PRE_external_allow {
		tcp dport 1119 dnat to 10.0.0.221
		tcp dport 1120 dnat to 10.0.0.221
		udp dport 3074 dnat to 10.0.0.221
		udp dport 3097 dnat to 10.0.0.221
		tcp dport 25565 dnat to 10.0.0.225
		udp dport 25565 dnat to 10.0.0.225
		udp dport 19133 dnat to 10.0.0.225
		udp dport 19132 dnat to 10.0.0.225
		udp dport 44310 dnat to 10.0.0.11
		tcp dport 44310 dnat to 10.0.0.11
	}

	chain nat_PRE_external_post {
	}

	chain nat_PRE_internal {
		jump nat_PRE_internal_pre
		jump nat_PRE_internal_log
		jump nat_PRE_internal_deny
		jump nat_PRE_internal_allow
		jump nat_PRE_internal_post
	}

	chain nat_PRE_internal_pre {
	}

	chain nat_PRE_internal_log {
	}

	chain nat_PRE_internal_deny {
	}

	chain nat_PRE_internal_allow {
	}

	chain nat_PRE_internal_post {
	}

	chain nat_POST_internal {
		jump nat_POST_internal_pre
		jump nat_POST_internal_log
		jump nat_POST_internal_deny
		jump nat_POST_internal_allow
		jump nat_POST_internal_post
	}

	chain nat_POST_internal_pre {
	}

	chain nat_POST_internal_log {
	}

	chain nat_POST_internal_deny {
	}

	chain nat_POST_internal_allow {
	}

	chain nat_POST_internal_post {
	}
}
table ip6 firewalld {
	chain nat_PREROUTING {
		type nat hook prerouting priority -90; policy accept;
		jump nat_PREROUTING_ZONES
	}

	chain nat_PREROUTING_ZONES {
		iifname "enp2s0" goto nat_PRE_internal
		iifname "enp0s20u1" goto nat_PRE_external
		iifname "virbr0" goto nat_PRE_libvirt
		goto nat_PRE_public
	}

	chain nat_POSTROUTING {
		type nat hook postrouting priority 110; policy accept;
		jump nat_POSTROUTING_ZONES
	}

	chain nat_POSTROUTING_ZONES {
		oifname "enp2s0" goto nat_POST_internal
		oifname "enp0s20u1" goto nat_POST_external
		oifname "virbr0" goto nat_POST_libvirt
		goto nat_POST_public
	}

	chain nat_PRE_libvirt {
		jump nat_PRE_libvirt_pre
		jump nat_PRE_libvirt_log
		jump nat_PRE_libvirt_deny
		jump nat_PRE_libvirt_allow
		jump nat_PRE_libvirt_post
	}

	chain nat_PRE_libvirt_pre {
	}

	chain nat_PRE_libvirt_log {
	}

	chain nat_PRE_libvirt_deny {
	}

	chain nat_PRE_libvirt_allow {
	}

	chain nat_PRE_libvirt_post {
	}

	chain nat_POST_libvirt {
		jump nat_POST_libvirt_pre
		jump nat_POST_libvirt_log
		jump nat_POST_libvirt_deny
		jump nat_POST_libvirt_allow
		jump nat_POST_libvirt_post
	}

	chain nat_POST_libvirt_pre {
	}

	chain nat_POST_libvirt_log {
	}

	chain nat_POST_libvirt_deny {
	}

	chain nat_POST_libvirt_allow {
	}

	chain nat_POST_libvirt_post {
	}

	chain nat_PRE_public {
		jump nat_PRE_public_pre
		jump nat_PRE_public_log
		jump nat_PRE_public_deny
		jump nat_PRE_public_allow
		jump nat_PRE_public_post
	}

	chain nat_PRE_public_pre {
	}

	chain nat_PRE_public_log {
	}

	chain nat_PRE_public_deny {
	}

	chain nat_PRE_public_allow {
	}

	chain nat_PRE_public_post {
	}

	chain nat_POST_public {
		jump nat_POST_public_pre
		jump nat_POST_public_log
		jump nat_POST_public_deny
		jump nat_POST_public_allow
		jump nat_POST_public_post
	}

	chain nat_POST_public_pre {
	}

	chain nat_POST_public_log {
	}

	chain nat_POST_public_deny {
	}

	chain nat_POST_public_allow {
	}

	chain nat_POST_public_post {
	}

	chain nat_POST_external {
		jump nat_POST_external_pre
		jump nat_POST_external_log
		jump nat_POST_external_deny
		jump nat_POST_external_allow
		jump nat_POST_external_post
	}

	chain nat_POST_external_pre {
	}

	chain nat_POST_external_log {
	}

	chain nat_POST_external_deny {
	}

	chain nat_POST_external_allow {
		oifname != "lo" masquerade
	}

	chain nat_POST_external_post {
	}

	chain nat_PRE_external {
		jump nat_PRE_external_pre
		jump nat_PRE_external_log
		jump nat_PRE_external_deny
		jump nat_PRE_external_allow
		jump nat_PRE_external_post
	}

	chain nat_PRE_external_pre {
	}

	chain nat_PRE_external_log {
	}

	chain nat_PRE_external_deny {
	}

	chain nat_PRE_external_allow {
	}

	chain nat_PRE_external_post {
	}

	chain nat_PRE_internal {
		jump nat_PRE_internal_pre
		jump nat_PRE_internal_log
		jump nat_PRE_internal_deny
		jump nat_PRE_internal_allow
		jump nat_PRE_internal_post
	}

	chain nat_PRE_internal_pre {
	}

	chain nat_PRE_internal_log {
	}

	chain nat_PRE_internal_deny {
	}

	chain nat_PRE_internal_allow {
	}

	chain nat_PRE_internal_post {
	}

	chain nat_POST_internal {
		jump nat_POST_internal_pre
		jump nat_POST_internal_log
		jump nat_POST_internal_deny
		jump nat_POST_internal_allow
		jump nat_POST_internal_post
	}

	chain nat_POST_internal_pre {
	}

	chain nat_POST_internal_log {
	}

	chain nat_POST_internal_deny {
	}

	chain nat_POST_internal_allow {
	}

	chain nat_POST_internal_post {
	}
}

Post Reply

Return to “CentOS 8 - Networking Support”