Firewalld Blocking RELATED,ESTABLISHED Inbound Since Update

Issues related to configuring your network
amarand
Posts: 38
Joined: 2006/09/12 19:09:07
Location: Columbus, Ohio, USA
Contact:

Re: Firewalld Blocking RELATED,ESTABLISHED Inbound Since Update

Post by amarand » 2020/05/01 13:38:19

jlehtone wrote:
2020/05/01 13:09:25
You have made changes to both. Some are obvious, but not all.

What is the goal of external rich rule:

Code: Select all

rule family="ipv4" source address="205.166.94.0/24" service name="ssh" log level="notice" accept
The glaring issue though is that both zones have:
masquerade: yes
Ahh okay, so external rich rule allows a single network to access my server via SSH. I was sick of being attacked by Russia and China all day, so I just limited it to a single external network. It solved a lot of issues, all other SSH connections are just dropped.

I believe, as a part of my late-night troubleshooting attempts this week, I accidentally enabled masquerade on the Internal interface, as well. I checked my configuration settings from back when I first configured the working Firewalld, and I had only enabled masquerade on the External interface. I have since disabled masquerade on the Internal interface, and completed a full reboot to make sure everything cleared out.

(I've been trying to fix this issue literally all week, until midnight or later, so I'm getting very frustrated [and physically tired] with how non-intuitive things are in CentOS 8.1 relating to Firewalld, and iptables versus nftables, and the lack of clear how-to documentation to set-up a simple firewall as a router, which has worked in CentOS for me for decades in various iterations.)

What I'd like, is for a simple "how to" that describes how to set-up a working basic router under CentOS 8.1's new firewalld/nftables configuration.

I've been working with iptables since ipchains were around, I used fwbuilder as a stopgap back in the day because I hate writing manual firewall rules.

Is there a simple way to make this "just work?"

I don't have a complex configuration...it's very simple:

1) Internal interface (physical) on enp2s0 - 192.168.1.0/24
2) External interface (physical) on enp3s0 - A single static-assigned public IP address
3) I want the computers inside to be able to talk to the Internet with no restrictions (I can add those later if I need to)
4) I want systems on the Internet to be able to get to the server on port 443, and one subnet (as discussed) to be able to SSH into the server externally.

That's basically it.

The reason why I'm in this mess is because, since a recent update from CentOS 8 to CentOS 8.1, and possibly the most recent update to the latest available Firewalld (0.7.0_5), some traffic is being blocked inbound, due to the tightening of some rules in Firewalld, with no way to revert to the original behavior.

So now my Firewalld configuration is much more secure, but half of my https connections from the inside, are failing with logs like this:

Apr 29 20:29:12 home kernel: filter_IN_external_REJECT: IN=enp3s0 OUT= MAC=*28DigitMacAddress* SRC=17.167.194.224 DST=*HomeStaticIPv4Addr* LEN=52 TOS=0x00 PREC=0x00 TTL=239 ID=61549 DF PROTO=TCP SPT=443 DPT=51337 WINDOW=320 RES=0x00 ACK URGP=0

Which I only see when I enable logging in the firewall, so at first, I thought it was an ISP issue. We had an issue earlier this week where they had an outage and were fiddling with the lines in the neighborhood. The CentOS 8.0 to CentOS 8.1 update, and the Firewalld upgrade to 0.7.0_5 coincided with all the other badness this week, so I spent hours on the phone with my ISP complaining about service issues when, after that first day when they fixed the connection, it was all in my firewall, but I didn't know it at the time.

I eventually figured it out by plugging in my laptop directly to the cable modem and figuring out that all of my network issues were related to the way the firewall/router was handling things. Enabled logging, saw all the blocked inbound packets that should have been allowed (and were allowed with a previous configuration), and realized something had changed in the underlying system.

So what was once working, failed, but not in a 100% failure way. Some outbound https connections work, while others fail. I don't know why. But I can see in the logs that it's due to the firewall configuration.

I'd like to start over fresh, with a set of instructions, but the problem is nftables is relatively new, so while there are hundreds of "how to" documents on the Internet that explain how to configure a basic NAT/masquerade router using firewalld and iptables with CentOS 7 (and even 8.0?), there are very few (none?) that handle firewalld and nftables under CentOS 8.1. So I've upgraded to a configuration that is not really well supported, and I'm regretting that decision severely, as I've spent probably 40+ hours this week trying to debug this problem.

amarand
Posts: 38
Joined: 2006/09/12 19:09:07
Location: Columbus, Ohio, USA
Contact:

Re: Firewalld Blocking RELATED,ESTABLISHED Inbound Since Update

Post by amarand » 2020/05/01 13:46:43

Also, when I say "decades" for CentOS, I'm actually talking about Red Hat. I'm a card-carrying RHCE from way back, and I'm a big fan of Red Hat overall.

This is why I use CentOS, besides the fact that it's free, which saves me money, it's also built on something I've understood for a very long time. I've been through ipchains, iptables and now...there's this new nftables that seems like it should be awesome (rules written apply to both ipv4 and ipv6 - great), but it just adds another layer of complexity. I've written rules for these by hand but writing complex firewall rules by hand is not my core competency.

I liked using fwbuilder, once I got used to it. Then CentOS threw that out the window saying "Just use Firewalld!" Which I learned.

And now I have to learn nftables, because now in CentOS 8.1 they decided to force some major change without having decent documentation on how to use it?

Have you ever tried researching a new firewall type while your Internet is (intermittently) "out?" Yeah, that's what my week has been like.

So I'll do a search on firewall issues, and half the time, I get these "PR_CONNECT_RESET_ERROR" depending on the site. I have no idea what's causing this (at the time), so in researching what's wrong, I'm being slowed down by the connection issues, which is what I'm trying to research.

I'm sharing this because, although I've only posted a few posts in this forum, I have been using Linux since the days of Slackware in the early 90's, where you'd download the kernel, and build things from scratch. I've got 40+ years in computers, and this is the most frustrated I've felt in all those decades.

It's probably a little bit COVID, but it's also the fact that we rely on our Internet for work and play, and when CentOS pulls the rug out from under the users without proper documentation, it's frustrating.

amarand
Posts: 38
Joined: 2006/09/12 19:09:07
Location: Columbus, Ohio, USA
Contact:

Re: Firewalld Blocking RELATED,ESTABLISHED Inbound Since Update

Post by amarand » 2020/05/01 13:54:19

So, to be clear, it's Friday. I have about 9 hours left of work, where my VPN has to be rock-solid and stable, and then I'm going to spend the entire weekend trying to get this firewall configuration to work properly. I can't have another week like this.

What I'd love, and what would make the majority of my stress from this past week go away, would be for me to find a very clear, step-by-step "how to" document that explains how to configure firewalld and nftables in a basic router/firewall/NAT/masquerade configuration.

As an example, I've used documents similar to this, when configuring things in the past, and they work great:

https://linuxize.com/post/how-to-config ... -centos-8/
https://www.cyberciti.biz/faq/how-to-se ... -centos-8/

At this point, I feel like we (CentOS 8.1 users) are in uncharted territory and, while I love learning new things, I don't love learning new things while my primary method of learning is being broken by the thing I'm trying to learn.

Any help would be much appreciated.

amarand
Posts: 38
Joined: 2006/09/12 19:09:07
Location: Columbus, Ohio, USA
Contact:

Re: Firewalld Blocking RELATED,ESTABLISHED Inbound Since Update

Post by amarand » 2020/05/01 13:55:29

Also note how these documents mention "CentOS 8" but they really don't cover CentOS 8.1. Why is it that 8.0 works so differently from 8.1? Or is it the underlying firewalld update to 0.7.0_5? The problem is, I just don't know.

amarand
Posts: 38
Joined: 2006/09/12 19:09:07
Location: Columbus, Ohio, USA
Contact:

Re: Firewalld Blocking RELATED,ESTABLISHED Inbound Since Update

Post by amarand » 2020/05/01 14:55:55

There is a post, from CentOS 7, where a guy is basically asking to do what I'm doing. One guy told him to just buy a firewall appliance. Finally, he figured out how to do it, and shared (last post):

viewtopic.php?t=53819

That's basically what I'm doing. It's not a complex configuration, aside from the single rich-rule I have, which I would gladly toss out and ignore just to get to a working, safe configuration status. I'll quote:

Code: Select all

OK, things appear to be working. Here's what I needed to do in order to configure firewalld on CentOS 7 to route packets from an internal network to an external network.

I'd be glad for any comments on caveats and security implications for this setup. As I understand it, these rules will permit machines on the internal network to send NATed packets to machines on the external network, and will also permit responses back. Machines on the external network will not be able to initiate communications with machines on the internal network.

    Enable IPv4 packet forwarding.
        Add the following to /etc/sysctl.conf: net.ipv4.ip_forward = 1
        Apply the sysctl settings: sysctl -p
    Add direct rules to firewalld. Add the --permanent option to keep these rules across restarts.
    firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o eth_ext -j MASQUERADE
    firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eth_int -o eth_ext -j ACCEPT
    firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eth_ext -o eth_int -m state --state RELATED,ESTABLISHED -j ACCEPT
    Configure DNS. My machine is running a DHCP server so I configured it to provide the address of the DNS server on my external LAN.
How do I get that very simple configuration to work under CentOS 8.1, Firewalld 0.7.0_5 and nftables versus iptables?

Aside from the single mistake I made this week during troubleshooting (enabling masquerade on the Internal interface, which is not needed, and has since been reversed), and also enabling a bunch of additional services on Internal that probably aren't required, my configuration has worked since last year with no issues. I just want to get back to that point of things "just working."

Internet
|
Cable Modem in Passthrough/Gateway Mode
|
External (enp3s0) - Single static commercial IP address
|
firewalld/nftables/NAT/masquerade
|
Internal (enp2s0) - 192.168.1.0/24
|
All of my computers and devices

All internal traffic destined for internal network "just works" as expected.
All external traffic is blocked aside from SSH, which is allowed from a single class-C network defined in a rich-rule
All internal traffic destined for external network (Internet) is allowed
** All "RELATED,ESTABLISHED" return packets from external are allowed back in

Right now, most of that is working, aside from the last step, which is apparently broken, because the firewall is blocking certain return packets.

For example, when I try to go to an Apple web-site:

May 1 10:52:44 home kernel: filter_IN_external_REJECT: IN=enp3s0 OUT= MAC=(28 character MAC) SRC=17.32.194.37 DST=(My Public Static IP) LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=30474 DF PROTO=TCP SPT=443 DPT=33343 WINDOW=64 RES=0x00 ACK FIN URGP=0
May 1 10:52:44 home kernel: filter_IN_external_REJECT: IN=enp3s0 OUT= MAC=(28 character MAC) SRC=17.32.194.37 DST=(My Public Static IP) LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=28993 DF PROTO=TCP SPT=443 DPT=33344 WINDOW=64 RES=0x00 ACK FIN URGP=0
May 1 10:52:44 home kernel: filter_IN_external_REJECT: IN=enp3s0 OUT= MAC=(28 character MAC) SRC=17.32.194.37 DST=(My Public Static IP) LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=12526 DF PROTO=TCP SPT=443 DPT=33345 WINDOW=64 RES=0x00 ACK FIN URGP=0
May 1 10:52:44 home kernel: filter_IN_external_REJECT: IN=enp3s0 OUT= MAC=(28 character MAC) SRC=17.32.194.37 DST=(My Public Static IP) LEN=52 TOS=0x00 PREC=0x00 TTL=47 ID=44746 DF PROTO=TCP SPT=443 DPT=33346 WINDOW=64 RES=0x00 ACK FIN URGP=0
May 1 10:52:44 home kernel: filter_IN_external_REJECT: IN=enp3s0 OUT= MAC=(28 character MAC) SRC=17.32.194.37 DST=(My Public Static IP) LEN=52 TOS=0x00 PREC=0x00 TTL=47 ID=35663 DF PROTO=TCP SPT=443 DPT=33347 WINDOW=64 RES=0x00 ACK FIN URGP=0
May 1 10:52:44 home kernel: filter_IN_external_REJECT: IN=enp3s0 OUT= MAC=(28 character MAC) SRC=17.32.194.37 DST=(My Public Static IP) LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=54852 DF PROTO=TCP SPT=443 DPT=33348 WINDOW=64 RES=0x00 ACK FIN URGP=0

And I get the following in Firefox:

Secure Connection Failed
An error occurred during a connection to appleid.apple.com. PR_CONNECT_RESET_ERROR

What is broken, and how can I fix it? Am I missing one or two lines to make nftables happy again? Do I need to start from scratch? If I have to start from scratch, is there a good how-to guide to get me from square one, back to working again? I shouldn't have to reinvent the wheel (yet again) but it feels like I may have to.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Firewalld Blocking RELATED,ESTABLISHED Inbound Since Update

Post by jlehtone » 2020/05/01 20:36:53

amarand wrote:
2020/05/01 13:38:19
Ahh okay, so external rich rule allows a single network to access my server via SSH.
In firewalld-ideology that calls for third zone.
A zone that is not on any interface, but has that subnet "X" as a source.
That zone must then have the services that clients in subnet X need to access.


Can you post the output of sudo nft list ruleset?
We might be able to explain which rules block your traffic.


Regarding that other thread, masquerade as direct rule makes no sense because firewalld does create the masquerade rules "in the zone" properly. Does now. Perhaps didn't back in 2015?

amarand
Posts: 38
Joined: 2006/09/12 19:09:07
Location: Columbus, Ohio, USA
Contact:

Re: Firewalld Blocking RELATED,ESTABLISHED Inbound Since Update

Post by amarand » 2020/05/01 21:25:22

Absolutely!

Code: Select all

# nft list ruleset
table ip filter {
        chain INPUT {
                type filter hook input priority 0; policy accept;
        }

        chain FORWARD {
                type filter hook forward priority 0; policy accept;
                iifname "enp2s0" oifname "enp3s0" counter packets 4615527 bytes 2521888687 accept
                iifname "enp3s0" oifname "enp2s0" ct state related,established counter packets 3295924 bytes 1845458107 accept
        }

        chain OUTPUT {
                type filter hook output priority 0; policy accept;
        }
}
table ip6 filter {
        chain INPUT {
                type filter hook input priority 0; policy accept;
        }

        chain FORWARD {
                type filter hook forward priority 0; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority 0; policy accept;
        }
}
table bridge filter {
        chain INPUT {
                type filter hook input priority -200; policy accept;
        }

        chain FORWARD {
                type filter hook forward priority -200; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority -200; policy accept;
        }
}
table ip security {
        chain INPUT {
                type filter hook input priority 150; policy accept;
        }

        chain FORWARD {
                type filter hook forward priority 150; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority 150; policy accept;
        }
}
table ip raw {
        chain PREROUTING {
                type filter hook prerouting priority -300; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority -300; policy accept;
        }
}
table ip mangle {
        chain PREROUTING {
                type filter hook prerouting priority -150; policy accept;
        }

        chain INPUT {
                type filter hook input priority -150; policy accept;
        }

        chain FORWARD {
                type filter hook forward priority -150; policy accept;
        }

        chain OUTPUT {
                type route hook output priority -150; policy accept;
        }

        chain POSTROUTING {
                type filter hook postrouting priority -150; policy accept;
        }
}
table ip nat {
        chain PREROUTING {
                type nat hook prerouting priority -100; policy accept;
        }

        chain INPUT {
                type nat hook input priority 100; policy accept;
        }

        chain POSTROUTING {
                type nat hook postrouting priority 100; policy accept;
                oifname "enp3s0" counter packets 28282 bytes 1972845 masquerade
        }

        chain OUTPUT {
                type nat hook output priority -100; policy accept;
        }

        chain postrouting {
                type nat hook postrouting priority 100; policy accept;
        }
}
table ip6 security {
        chain INPUT {
                type filter hook input priority 150; policy accept;
        }

        chain FORWARD {
                type filter hook forward priority 150; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority 150; policy accept;
        }
}
table ip6 raw {
        chain PREROUTING {
                type filter hook prerouting priority -300; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority -300; policy accept;
        }
}
table ip6 mangle {
        chain PREROUTING {
                type filter hook prerouting priority -150; policy accept;
        }

        chain INPUT {
                type filter hook input priority -150; policy accept;
        }

        chain FORWARD {
                type filter hook forward priority -150; policy accept;
        }

        chain OUTPUT {
                type route hook output priority -150; policy accept;
        }

        chain POSTROUTING {
                type filter hook postrouting priority -150; policy accept;
        }
}
table ip6 nat {
        chain PREROUTING {
                type nat hook prerouting priority -100; policy accept;
        }

        chain INPUT {
                type nat hook input priority 100; policy accept;
        }

        chain POSTROUTING {
                type nat hook postrouting priority 100; policy accept;
        }

        chain OUTPUT {
                type nat hook output priority -100; policy accept;
        }
}
table bridge nat {
        chain PREROUTING {
                type filter hook prerouting priority -300; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority 100; policy accept;
        }

        chain POSTROUTING {
                type filter hook postrouting priority 300; policy accept;
        }
}
table inet firewalld {
        ct helper helper-netbios-ns-udp {
                type "netbios-ns" protocol udp

                l3proto ip
        }

        ct helper helper-tftp-udp {
                type "tftp" protocol udp

                l3proto inet
        }

        ct helper helper-amanda-udp {
                type "amanda" protocol udp

                l3proto inet
        }

        ct helper helper-ftp-tcp {
                type "ftp" protocol tcp

                l3proto inet
        }

        ct helper helper-sane-tcp {
                type "sane" protocol tcp

                l3proto inet
        }

        ct helper helper-sip-tcp {
                type "sip" protocol tcp

                l3proto inet
        }

        ct helper helper-sip-udp {
                type "sip" protocol udp

                l3proto inet
        }

        chain raw_PREROUTING {
                type filter hook prerouting priority -290; policy accept;
                icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
                meta nfproto ipv6 fib saddr . iif oif missing log prefix "rpfilter_DROP: " drop
                jump raw_PREROUTING_ZONES
        }

        chain raw_PREROUTING_ZONES {
                iifname "enp2s0" goto raw_PRE_internal
                iifname "enp3s0" goto raw_PRE_external
                goto raw_PRE_public
        }

        chain mangle_PREROUTING {
                type filter hook prerouting priority -140; policy accept;
                jump mangle_PREROUTING_ZONES
        }

        chain mangle_PREROUTING_ZONES {
                iifname "enp2s0" goto mangle_PRE_internal
                iifname "enp3s0" goto mangle_PRE_external
                goto mangle_PRE_public
        }

        chain filter_INPUT {
                type filter hook input priority 10; policy accept;
                ct state established,related accept
                ct status dnat accept
                iifname "lo" accept
                jump filter_INPUT_ZONES
                ct state invalid log prefix "STATE_INVALID_DROP: "
                ct state invalid drop
                log prefix "FINAL_REJECT: "
                reject with icmpx type admin-prohibited
        }

        chain filter_FORWARD {
                type filter hook forward priority 10; policy accept;
                ct state established,related accept
                ct status dnat accept
                iifname "lo" accept
                ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } log prefix "RFC3964_IPv4_REJECT: " reject with icmpv6 type addr-unreachable
                jump filter_FORWARD_IN_ZONES
                jump filter_FORWARD_OUT_ZONES
                ct state invalid log prefix "STATE_INVALID_DROP: "
                ct state invalid drop
                log prefix "FINAL_REJECT: "
                reject with icmpx type admin-prohibited
        }

        chain filter_OUTPUT {
                type filter hook output priority 10; policy accept;
                oifname "lo" accept
                ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } log prefix "RFC3964_IPv4_REJECT: " reject with icmpv6 type addr-unreachable
        }

        chain filter_INPUT_ZONES {
                iifname "enp2s0" goto filter_IN_internal
                iifname "enp3s0" goto filter_IN_external
                goto filter_IN_public
        }

        chain filter_FORWARD_IN_ZONES {
                iifname "enp2s0" goto filter_FWDI_internal
                iifname "enp3s0" goto filter_FWDI_external
                goto filter_FWDI_public
        }

        chain filter_FORWARD_OUT_ZONES {
                oifname "enp2s0" goto filter_FWDO_internal
                oifname "enp3s0" goto filter_FWDO_external
                goto filter_FWDO_public
        }

        chain raw_PRE_public {
                jump raw_PRE_public_pre
                jump raw_PRE_public_log
                jump raw_PRE_public_deny
                jump raw_PRE_public_allow
                jump raw_PRE_public_post
        }

        chain raw_PRE_public_pre {
        }

        chain raw_PRE_public_log {
        }

        chain raw_PRE_public_deny {
        }

        chain raw_PRE_public_allow {
        }

        chain raw_PRE_public_post {
        }

        chain filter_IN_public {
                jump filter_IN_public_pre
                jump filter_IN_public_log
                jump filter_IN_public_deny
                jump filter_IN_public_allow
                jump filter_IN_public_post
                meta l4proto { icmp, ipv6-icmp } accept
        }

        chain filter_IN_public_pre {
        }

        chain filter_IN_public_log {
        }

        chain filter_IN_public_deny {
        }

        chain filter_IN_public_allow {
                tcp dport ssh ct state new,untracked accept
                ip6 daddr fe80::/64 udp dport dhcpv6-client ct state new,untracked accept
                tcp dport 3389 ct state new,untracked accept
                tcp dport 5201 ct state new,untracked accept
        }

        chain filter_IN_public_post {
        }

        chain filter_FWDI_public {
                jump filter_FWDI_public_pre
                jump filter_FWDI_public_log
                jump filter_FWDI_public_deny
                jump filter_FWDI_public_allow
                jump filter_FWDI_public_post
                meta l4proto { icmp, ipv6-icmp } accept
        }

        chain filter_FWDI_public_pre {
        }

        chain filter_FWDI_public_log {
        }

        chain filter_FWDI_public_deny {
        }

        chain filter_FWDI_public_allow {
        }

        chain filter_FWDI_public_post {
        }

        chain mangle_PRE_public {
                jump mangle_PRE_public_pre
                jump mangle_PRE_public_log
                jump mangle_PRE_public_deny
                jump mangle_PRE_public_allow
                jump mangle_PRE_public_post
        }

        chain mangle_PRE_public_pre {
        }

        chain mangle_PRE_public_log {
        }

        chain mangle_PRE_public_deny {
        }

        chain mangle_PRE_public_allow {
        }

        chain mangle_PRE_public_post {
        }

        chain filter_FWDO_public {
                jump filter_FWDO_public_pre
                jump filter_FWDO_public_log
                jump filter_FWDO_public_deny
                jump filter_FWDO_public_allow
                jump filter_FWDO_public_post
        }

        chain filter_FWDO_public_pre {
        }

        chain filter_FWDO_public_log {
        }

        chain filter_FWDO_public_deny {
        }

        chain filter_FWDO_public_allow {
        }

        chain filter_FWDO_public_post {
        }

        chain raw_PRE_external {
                jump raw_PRE_external_pre
                jump raw_PRE_external_log
                jump raw_PRE_external_deny
                jump raw_PRE_external_allow
                jump raw_PRE_external_post
        }

        chain raw_PRE_external_pre {
        }

        chain raw_PRE_external_log {
        }

        chain raw_PRE_external_deny {
        }

        chain raw_PRE_external_allow {
        }

        chain raw_PRE_external_post {
        }

        chain filter_IN_external {
                jump filter_IN_external_pre
                jump filter_IN_external_log
                jump filter_IN_external_deny
                jump filter_IN_external_allow
                jump filter_IN_external_post
                log prefix "filter_IN_external_REJECT: "
                reject with icmpx type admin-prohibited
        }

        chain filter_IN_external_pre {
        }

        chain filter_IN_external_log {
                ip saddr 205.166.94.0/24 tcp dport ssh ct state new,untracked log level notice
        }

        chain filter_IN_external_deny {
        }

        chain filter_IN_external_allow {
                tcp dport https ct state new,untracked accept
                tcp dport http ct state new,untracked accept
                tcp dport smtp ct state new,untracked accept
                tcp dport urd ct state new,untracked accept
                tcp dport imap2 ct state new,untracked accept
                tcp dport imaps ct state new,untracked accept
                ip saddr 205.166.94.0/24 tcp dport ssh ct state new,untracked accept
        }

        chain filter_IN_external_post {
        }

        chain filter_FWDO_external {
                jump filter_FWDO_external_pre
                jump filter_FWDO_external_log
                jump filter_FWDO_external_deny
                jump filter_FWDO_external_allow
                jump filter_FWDO_external_post
                log prefix "filter_FWDO_external_REJECT: "
                reject with icmpx type admin-prohibited
        }

        chain filter_FWDO_external_pre {
        }

        chain filter_FWDO_external_log {
        }

        chain filter_FWDO_external_deny {
        }

        chain filter_FWDO_external_allow {
                ct state new,untracked accept
        }

        chain filter_FWDO_external_post {
        }

        chain mangle_PRE_external {
                jump mangle_PRE_external_pre
                jump mangle_PRE_external_log
                jump mangle_PRE_external_deny
                jump mangle_PRE_external_allow
                jump mangle_PRE_external_post
        }

        chain mangle_PRE_external_pre {
        }

        chain mangle_PRE_external_log {
        }

        chain mangle_PRE_external_deny {
        }

        chain mangle_PRE_external_allow {
        }

        chain mangle_PRE_external_post {
        }

        chain filter_FWDI_external {
                jump filter_FWDI_external_pre
                jump filter_FWDI_external_log
                jump filter_FWDI_external_deny
                jump filter_FWDI_external_allow
                jump filter_FWDI_external_post
                log prefix "filter_FWDI_external_REJECT: "
                reject with icmpx type admin-prohibited
        }

        chain filter_FWDI_external_pre {
        }

        chain filter_FWDI_external_log {
        }

        chain filter_FWDI_external_deny {
        }

        chain filter_FWDI_external_allow {
        }

        chain filter_FWDI_external_post {
        }

        chain raw_PRE_internal {
                jump raw_PRE_internal_pre
                jump raw_PRE_internal_log
                jump raw_PRE_internal_deny
                jump raw_PRE_internal_allow
                jump raw_PRE_internal_post
        }

        chain raw_PRE_internal_pre {
        }

        chain raw_PRE_internal_log {
        }

        chain raw_PRE_internal_deny {
        }

        chain raw_PRE_internal_allow {
        }

        chain raw_PRE_internal_post {
        }

        chain filter_IN_internal {
                jump filter_IN_internal_pre
                jump filter_IN_internal_log
                jump filter_IN_internal_deny
                jump filter_IN_internal_allow
                jump filter_IN_internal_post
                accept
        }

        chain filter_IN_internal_pre {
        }

        chain filter_IN_internal_log {
        }

        chain filter_IN_internal_deny {
        }

        chain filter_IN_internal_allow {
                tcp dport ssh ct state new,untracked accept
                ip daddr 224.0.0.251 udp dport mdns ct state new,untracked accept
                ip6 daddr ff02::fb udp dport mdns ct state new,untracked accept
                udp dport netbios-ns ct helper set "helper-netbios-ns-udp"
                udp dport netbios-ns ct state new,untracked accept
                udp dport netbios-dgm ct state new,untracked accept
                ip6 daddr fe80::/64 udp dport dhcpv6-client ct state new,untracked accept
                udp dport dhcpv6-server ct state new,untracked accept
                udp dport bootps ct state new,untracked accept
                tcp dport domain ct state new,untracked accept
                udp dport domain ct state new,untracked accept
                tcp dport imaps ct state new,untracked accept
                udp dport isakmp ct state new,untracked accept
                udp dport ipsec-nat-t ct state new,untracked accept
                meta l4proto ah ct state new,untracked accept
                meta l4proto esp ct state new,untracked accept
                tcp dport ircd ct state new,untracked accept
                tcp dport 6697 ct state new,untracked accept
                tcp dport kerberos-adm ct state new,untracked accept
                tcp dport klogin ct state new,untracked accept
                tcp dport kpasswd ct state new,untracked accept
                udp dport kpasswd ct state new,untracked accept
                tcp dport krb-prop ct state new,untracked accept
                tcp dport kshell ct state new,untracked accept
                tcp dport mysql ct state new,untracked accept
                udp dport ntp ct state new,untracked accept
                udp dport openvpn ct state new,untracked accept
                tcp dport pop3 ct state new,untracked accept
                tcp dport pop3s ct state new,untracked accept
                tcp dport shell ct state new,untracked accept
                tcp dport rsync ct state new,untracked accept
                udp dport rsync ct state new,untracked accept
                tcp dport netbios-ssn ct state new,untracked accept
                tcp dport microsoft-ds ct state new,untracked accept
                tcp dport smtp ct state new,untracked accept
                tcp dport urd ct state new,untracked accept
                tcp dport submission ct state new,untracked accept
                tcp dport snmp ct state new,untracked accept
                udp dport snmp ct state new,untracked accept
                tcp dport syslog-tls ct state new,untracked accept
                udp dport syslog-tls ct state new,untracked accept
                tcp dport telnet ct state new,untracked accept
                udp dport tftp ct helper set "helper-tftp-udp"
                udp dport tftp ct state new,untracked accept
                tcp dport 51413 ct state new,untracked accept
                udp dport 51413 ct state new,untracked accept
                tcp dport 5900-5903 ct state new,untracked accept
                tcp dport 3389 ct state new,untracked accept
                udp dport amanda ct helper set "helper-amanda-udp"
                udp dport amanda ct state new,untracked accept
                tcp dport amanda ct state new,untracked accept
                tcp dport amandaidx ct state new,untracked accept
                tcp dport amqp ct state new,untracked accept
                tcp dport amqps ct state new,untracked accept
                tcp dport 3551 ct state new,untracked accept
                tcp dport 60 ct state new,untracked accept
                tcp dport bacula-dir ct state new,untracked accept
                tcp dport bacula-fd ct state new,untracked accept
                tcp dport bacula-sd ct state new,untracked accept
                tcp dport 1984 ct state new,untracked accept
                udp dport 1984 ct state new,untracked accept
                tcp dport bgp ct state new,untracked accept
                tcp dport 8333 ct state new,untracked accept
                tcp dport 8332 ct state new,untracked accept
                tcp dport 18333 ct state new,untracked accept
                tcp dport 18332 ct state new,untracked accept
                ip daddr 239.192.152.143 udp dport 6771 ct state new,untracked accept
                ip6 daddr ff15::efc0:988f udp dport 6771 ct state new,untracked accept
                tcp dport 6800-7300 ct state new,untracked accept
                tcp dport 3300 ct state new,untracked accept
                tcp dport 6789 ct state new,untracked accept
                tcp dport cfengine ct state new,untracked accept
                tcp dport 9090 ct state new,untracked accept
                tcp dport 9618 ct state new,untracked accept
                tcp dport 4379 ct state new,untracked accept
                udp dport 4379 ct state new,untracked accept
                tcp dport distcc ct state new,untracked accept
                tcp dport 853 ct state new,untracked accept
                tcp dport 5000 ct state new,untracked accept
                udp dport db-lsp ct state new,untracked accept
                tcp dport db-lsp ct state new,untracked accept
                tcp dport 2377 ct state new,untracked accept
                tcp dport 7946 ct state new,untracked accept
                udp dport 7946 ct state new,untracked accept
                udp dport 4789 ct state new,untracked accept
                tcp dport 9300 ct state new,untracked accept
                tcp dport 9200 ct state new,untracked accept
                tcp dport 2379 ct state new,untracked accept
                tcp dport 2380 ct state new,untracked accept
                tcp dport finger ct state new,untracked accept
                tcp dport http ct state new,untracked accept
                tcp dport https ct state new,untracked accept
                tcp dport kerberos ct state new,untracked accept
                udp dport kerberos ct state new,untracked accept
                tcp dport ldap ct state new,untracked accept
                tcp dport ldaps ct state new,untracked accept
                tcp dport 7389 ct state new,untracked accept
                tcp dport loc-srv ct state new,untracked accept
                tcp dport 138-139 ct state new,untracked accept
                udp dport 138-139 ct state new,untracked accept
                udp dport ldap ct state new,untracked accept
                udp dport microsoft-ds ct state new,untracked accept
                tcp dport 1024-1300 ct state new,untracked accept
                tcp dport 3268 ct state new,untracked accept
                tcp dport ftp ct helper set "helper-ftp-tcp"
                tcp dport ftp ct state new,untracked accept
                tcp dport 8660 ct state new,untracked accept
                tcp dport 8651 ct state new,untracked accept
                tcp dport git ct state new,untracked accept
                tcp dport 3000 ct state new,untracked accept
                meta l4proto gre ct state new,untracked accept
                tcp dport 2224 ct state new,untracked accept
                tcp dport 3121 ct state new,untracked accept
                tcp dport 5403 ct state new,untracked accept
                udp dport 5404 ct state new,untracked accept
                udp dport 5405-5412 ct state new,untracked accept
                tcp dport 9929 ct state new,untracked accept
                udp dport 9929 ct state new,untracked accept
                tcp dport 21064 ct state new,untracked accept
                tcp dport imap2 ct state new,untracked accept
                tcp dport ipp ct state new,untracked accept
                udp dport ipp ct state new,untracked accept
                tcp dport iscsi-target ct state new,untracked accept
                udp dport iscsi-target ct state new,untracked accept
                tcp dport 3205 ct state new,untracked accept
                udp dport 3205 ct state new,untracked accept
                tcp dport http-alt ct state new,untracked accept
                tcp dport 1714-1764 ct state new,untracked accept
                udp dport 1714-1764 ct state new,untracked accept
                tcp dport 5601 ct state new,untracked accept
                tcp dport 16509 ct state new,untracked accept
                tcp dport 16514 ct state new,untracked accept
                tcp dport 9735 ct state new,untracked accept
                tcp dport hostmon ct state new,untracked accept
                udp dport hostmon ct state new,untracked accept
                tcp dport sieve ct state new,untracked accept
                tcp dport 8448 ct state new,untracked accept
                tcp dport 11211 ct state new,untracked accept
                udp dport 11211 ct state new,untracked accept
                tcp dport 8200 ct state new,untracked accept
                udp dport 1900 ct state new,untracked accept
                tcp dport 27017 ct state new,untracked accept
                udp dport 60000-61000 ct state new,untracked accept
                tcp dport 20048 ct state new,untracked accept
                udp dport 20048 ct state new,untracked accept
                tcp dport 1883 ct state new,untracked accept
                tcp dport 8883 ct state new,untracked accept
                tcp dport ms-sql-s ct state new,untracked accept
                tcp dport 64738 ct state new,untracked accept
                udp dport 64738 ct state new,untracked accept
                tcp dport nfs ct state new,untracked accept
                udp dport nfs ct state new,untracked accept
                tcp dport 10110 ct state new,untracked accept
                udp dport 10110 ct state new,untracked accept
                tcp dport nrpe ct state new,untracked accept
                tcp dport nut ct state new,untracked accept
                tcp dport 54322 ct state new,untracked accept
                tcp dport 55863 ct state new,untracked accept
                tcp dport 39543 ct state new,untracked accept
                tcp dport 2223 ct state new,untracked accept
                tcp dport 32400 ct state new,untracked accept
                udp dport 32400 ct state new,untracked accept
                tcp dport 32469 ct state new,untracked accept
                tcp dport 3005 ct state new,untracked accept
                tcp dport 8324 ct state new,untracked accept
                udp dport 32410 ct state new,untracked accept
                udp dport 32412 ct state new,untracked accept
                udp dport 32413 ct state new,untracked accept
                udp dport 32414 ct state new,untracked accept
                tcp dport 44321 ct state new,untracked accept
                tcp dport 44322 ct state new,untracked accept
                tcp dport 44323 ct state new,untracked accept
                tcp dport 44324 ct state new,untracked accept
                tcp dport postgresql ct state new,untracked accept
                tcp dport 8118 ct state new,untracked accept
                udp dport 4011 ct state new,untracked accept
                udp dport 319 ct state new,untracked accept
                udp dport 320 ct state new,untracked accept
                tcp dport 4713 ct state new,untracked accept
                tcp dport 8140 ct state new,untracked accept
                tcp dport 4242 ct state new,untracked accept
                tcp dport radius ct state new,untracked accept
                udp dport radius ct state new,untracked accept
                tcp dport radius-acct ct state new,untracked accept
                udp dport radius-acct ct state new,untracked accept
                tcp dport 6379 ct state new,untracked accept
                tcp dport 26379 ct state new,untracked accept
                udp dport bootpc ct state new,untracked accept
                tcp dport 5646-5647 ct state new,untracked accept
                tcp dport 8000 ct state new,untracked accept
                tcp dport sunrpc ct state new,untracked accept
                udp dport sunrpc ct state new,untracked accept
                tcp dport rtsp ct state new,untracked accept
                udp dport rtsp ct state new,untracked accept
                tcp dport 4505 ct state new,untracked accept
                tcp dport 4506 ct state new,untracked accept
                tcp dport 49152-65535 ct state new,untracked accept
                tcp dport 3269 ct state new,untracked accept
                tcp dport sane-port ct helper set "helper-sane-tcp"
                tcp dport sane-port ct state new,untracked accept
                tcp dport sip ct helper set "helper-sip-tcp"
                udp dport sip ct helper set "helper-sip-udp"
                tcp dport sip ct state new,untracked accept
                udp dport sip ct state new,untracked accept
                tcp dport sip-tls ct state new,untracked accept
                udp dport sip-tls ct state new,untracked accept
                tcp dport svrloc ct state new,untracked accept
                udp dport svrloc ct state new,untracked accept
                tcp dport snmp-trap ct state new,untracked accept
                udp dport snmp-trap ct state new,untracked accept
                udp dport 21327 ct state new,untracked accept
                udp dport 21328 ct state new,untracked accept
                udp dport 57621 ct state new,untracked accept
                tcp dport 57621 ct state new,untracked accept
                tcp dport 3128 ct state new,untracked accept
                ip daddr 239.255.255.250 udp dport 1900 ct state new,untracked accept
                ip6 daddr ff02::c udp dport 1900 ct state new,untracked accept
                tcp dport 27036 ct state new,untracked accept
                tcp dport 27037 ct state new,untracked accept
                udp dport 27031-27036 ct state new,untracked accept
                tcp dport 6419 ct state new,untracked accept
                udp dport 6419 ct state new,untracked accept
                tcp dport svn ct state new,untracked accept
                tcp dport 22000 ct state new,untracked accept
                udp dport 21027 ct state new,untracked accept
                tcp dport 8384 ct state new,untracked accept
                tcp dport 24800 ct state new,untracked accept
                udp dport shell ct state new,untracked accept
                tcp dport 41121 ct state new,untracked accept
                tcp dport 9851 ct state new,untracked accept
                tcp dport tinc ct state new,untracked accept
                udp dport tinc ct state new,untracked accept
                tcp dport 9050 ct state new,untracked accept
                udp sport 1900 ct state new,untracked accept
                tcp dport 54321 ct state new,untracked accept
                tcp dport 5900-6923 ct state new,untracked accept
                tcp dport 49152-49216 ct state new,untracked accept
                tcp dport 5988 ct state new,untracked accept
                tcp dport 5989 ct state new,untracked accept
                tcp dport 5985 ct state new,untracked accept
                tcp dport 5986 ct state new,untracked accept
                tcp dport xdmcp ct state new,untracked accept
                udp dport xdmcp ct state new,untracked accept
                tcp dport 5280 ct state new,untracked accept
                tcp dport xmpp-client ct state new,untracked accept
                tcp dport 5298 ct state new,untracked accept
                tcp dport xmpp-server ct state new,untracked accept
                tcp dport zabbix-agent ct state new,untracked accept
                tcp dport zabbix-trapper ct state new,untracked accept
                tcp dport 5201 ct state new,untracked accept
        }

        chain filter_IN_internal_post {
        }

        chain mangle_PRE_internal {
                jump mangle_PRE_internal_pre
                jump mangle_PRE_internal_log
                jump mangle_PRE_internal_deny
                jump mangle_PRE_internal_allow
                jump mangle_PRE_internal_post
        }

        chain mangle_PRE_internal_pre {
        }

        chain mangle_PRE_internal_log {
        }

        chain mangle_PRE_internal_deny {
        }

        chain mangle_PRE_internal_allow {
        }

        chain mangle_PRE_internal_post {
        }

        chain filter_FWDI_internal {
                jump filter_FWDI_internal_pre
                jump filter_FWDI_internal_log
                jump filter_FWDI_internal_deny
                jump filter_FWDI_internal_allow
                jump filter_FWDI_internal_post
                accept
        }

        chain filter_FWDI_internal_pre {
        }

        chain filter_FWDI_internal_log {
        }

        chain filter_FWDI_internal_deny {
        }

        chain filter_FWDI_internal_allow {
        }

        chain filter_FWDI_internal_post {
        }

        chain filter_FWDO_internal {
                jump filter_FWDO_internal_pre
                jump filter_FWDO_internal_log
                jump filter_FWDO_internal_deny
                jump filter_FWDO_internal_allow
                jump filter_FWDO_internal_post
                accept
        }

        chain filter_FWDO_internal_pre {
        }

        chain filter_FWDO_internal_log {
        }

        chain filter_FWDO_internal_deny {
        }

        chain filter_FWDO_internal_allow {
        }

        chain filter_FWDO_internal_post {
        }
}
table ip firewalld {
        chain nat_PREROUTING {
                type nat hook prerouting priority -90; policy accept;
                jump nat_PREROUTING_ZONES
        }

        chain nat_PREROUTING_ZONES {
                iifname "enp2s0" goto nat_PRE_internal
                iifname "enp3s0" goto nat_PRE_external
                goto nat_PRE_public
        }

        chain nat_POSTROUTING {
                type nat hook postrouting priority 110; policy accept;
                jump nat_POSTROUTING_ZONES
        }

        chain nat_POSTROUTING_ZONES {
                oifname "enp2s0" goto nat_POST_internal
                oifname "enp3s0" goto nat_POST_external
                goto nat_POST_public
        }

        chain nat_PRE_public {
                jump nat_PRE_public_pre
                jump nat_PRE_public_log
                jump nat_PRE_public_deny
                jump nat_PRE_public_allow
                jump nat_PRE_public_post
        }

        chain nat_PRE_public_pre {
        }

        chain nat_PRE_public_log {
        }

        chain nat_PRE_public_deny {
        }

        chain nat_PRE_public_allow {
        }

        chain nat_PRE_public_post {
        }

        chain nat_POST_public {
                jump nat_POST_public_pre
                jump nat_POST_public_log
                jump nat_POST_public_deny
                jump nat_POST_public_allow
                jump nat_POST_public_post
        }

        chain nat_POST_public_pre {
        }

        chain nat_POST_public_log {
        }

        chain nat_POST_public_deny {
        }

        chain nat_POST_public_allow {
        }

        chain nat_POST_public_post {
        }

        chain nat_POST_external {
                jump nat_POST_external_pre
                jump nat_POST_external_log
                jump nat_POST_external_deny
                jump nat_POST_external_allow
                jump nat_POST_external_post
        }

        chain nat_POST_external_pre {
        }

        chain nat_POST_external_log {
        }

        chain nat_POST_external_deny {
        }

        chain nat_POST_external_allow {
                oifname != "lo" masquerade
        }

        chain nat_POST_external_post {
        }

        chain nat_PRE_external {
                jump nat_PRE_external_pre
                jump nat_PRE_external_log
                jump nat_PRE_external_deny
                jump nat_PRE_external_allow
                jump nat_PRE_external_post
        }

        chain nat_PRE_external_pre {
        }

        chain nat_PRE_external_log {
        }

        chain nat_PRE_external_deny {
        }

        chain nat_PRE_external_allow {
        }

        chain nat_PRE_external_post {
        }

        chain nat_PRE_internal {
                jump nat_PRE_internal_pre
                jump nat_PRE_internal_log
                jump nat_PRE_internal_deny
                jump nat_PRE_internal_allow
                jump nat_PRE_internal_post
        }

        chain nat_PRE_internal_pre {
        }

        chain nat_PRE_internal_log {
        }

        chain nat_PRE_internal_deny {
        }

        chain nat_PRE_internal_allow {
        }

        chain nat_PRE_internal_post {
        }

        chain nat_POST_internal {
                jump nat_POST_internal_pre
                jump nat_POST_internal_log
                jump nat_POST_internal_deny
                jump nat_POST_internal_allow
                jump nat_POST_internal_post
        }

        chain nat_POST_internal_pre {
        }

        chain nat_POST_internal_log {
        }

        chain nat_POST_internal_deny {
        }

        chain nat_POST_internal_allow {
        }

        chain nat_POST_internal_post {
        }
}
table ip6 firewalld {
        chain nat_PREROUTING {
                type nat hook prerouting priority -90; policy accept;
                jump nat_PREROUTING_ZONES
        }

        chain nat_PREROUTING_ZONES {
                iifname "enp2s0" goto nat_PRE_internal
                iifname "enp3s0" goto nat_PRE_external
                goto nat_PRE_public
        }

        chain nat_POSTROUTING {
                type nat hook postrouting priority 110; policy accept;
                jump nat_POSTROUTING_ZONES
        }

        chain nat_POSTROUTING_ZONES {
                oifname "enp2s0" goto nat_POST_internal
                oifname "enp3s0" goto nat_POST_external
                goto nat_POST_public
        }

        chain nat_PRE_public {
                jump nat_PRE_public_pre
                jump nat_PRE_public_log
                jump nat_PRE_public_deny
                jump nat_PRE_public_allow
                jump nat_PRE_public_post
        }

        chain nat_PRE_public_pre {
        }

        chain nat_PRE_public_log {
        }

        chain nat_PRE_public_deny {
        }

        chain nat_PRE_public_allow {
        }

        chain nat_PRE_public_post {
        }

        chain nat_POST_public {
                jump nat_POST_public_pre
                jump nat_POST_public_log
                jump nat_POST_public_deny
                jump nat_POST_public_allow
                jump nat_POST_public_post
        }

        chain nat_POST_public_pre {
        }

        chain nat_POST_public_log {
        }

        chain nat_POST_public_deny {
        }

        chain nat_POST_public_allow {
        }

        chain nat_POST_public_post {
        }

        chain nat_POST_external {
                jump nat_POST_external_pre
                jump nat_POST_external_log
                jump nat_POST_external_deny
                jump nat_POST_external_allow
                jump nat_POST_external_post
        }

        chain nat_POST_external_pre {
        }

        chain nat_POST_external_log {
        }

        chain nat_POST_external_deny {
        }

        chain nat_POST_external_allow {
                oifname != "lo" masquerade
        }

        chain nat_POST_external_post {
        }

        chain nat_PRE_external {
                jump nat_PRE_external_pre
                jump nat_PRE_external_log
                jump nat_PRE_external_deny
                jump nat_PRE_external_allow
                jump nat_PRE_external_post
        }

        chain nat_PRE_external_pre {
        }

        chain nat_PRE_external_log {
        }

        chain nat_PRE_external_deny {
        }

        chain nat_PRE_external_allow {
        }

        chain nat_PRE_external_post {
        }

        chain nat_PRE_internal {
                jump nat_PRE_internal_pre
                jump nat_PRE_internal_log
                jump nat_PRE_internal_deny
                jump nat_PRE_internal_allow
                jump nat_PRE_internal_post
        }

        chain nat_PRE_internal_pre {
        }

        chain nat_PRE_internal_log {
        }

        chain nat_PRE_internal_deny {
        }

        chain nat_PRE_internal_allow {
        }

        chain nat_PRE_internal_post {
        }

        chain nat_POST_internal {
                jump nat_POST_internal_pre
                jump nat_POST_internal_log
                jump nat_POST_internal_deny
                jump nat_POST_internal_allow
                jump nat_POST_internal_post
        }

        chain nat_POST_internal_pre {
        }

        chain nat_POST_internal_log {
        }

        chain nat_POST_internal_deny {
        }

        chain nat_POST_internal_allow {
        }

        chain nat_POST_internal_post {
        }
}

amarand
Posts: 38
Joined: 2006/09/12 19:09:07
Location: Columbus, Ohio, USA
Contact:

Re: Firewalld Blocking RELATED,ESTABLISHED Inbound Since Update

Post by amarand » 2020/05/01 21:38:25

jlehtone wrote:
2020/05/01 20:36:53
amarand wrote:
2020/05/01 13:38:19
Ahh okay, so external rich rule allows a single network to access my server via SSH.
In firewalld-ideology that calls for third zone.
A zone that is not on any interface, but has that subnet "X" as a source.
That zone must then have the services that clients in subnet X need to access.


Can you post the output of sudo nft list ruleset?
We might be able to explain which rules block your traffic.


Regarding that other thread, masquerade as direct rule makes no sense because firewalld does create the masquerade rules "in the zone" properly. Does now. Perhaps didn't back in 2015?
As an aside, I have the entire weekend to play/learn this, so if you have a recommended guide for configuring CentOS 8.1 firewall/routing/NAT/masquerade properly, I have plenty of time. I'd like to get things set-up the right/secure way. But my configuration is fairly simple.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Firewalld Blocking RELATED,ESTABLISHED Inbound Since Update

Post by jlehtone » 2020/05/01 22:24:38

These are relevant parts of the ruleset, AFAIK. Some might be now in pseudo-syntax.

Code: Select all

table ip filter {
        chain FORWARD {
                type filter hook forward priority 0; policy accept;
                iifname "enp2s0" oifname "enp3s0" counter packets 4615527 bytes 2521888687 accept
                iifname "enp3s0" oifname "enp2s0" ct state related,established counter packets 3295924 bytes 1845458107 accept
        }
}
table ip nat {
        chain POSTROUTING {
                type nat hook postrouting priority 100; policy accept;
                oifname "enp3s0" counter packets 28282 bytes 1972845 masquerade
        }
}
table inet firewalld {
        chain filter_FORWARD {
                type filter hook forward priority 10; policy accept;
                ct state established,related accept
                ct status dnat accept
                iifname "lo" accept
                iifname "enp2s0" accept
                iifname "enp3s0" goto filter_FWDI_external
                meta l4proto { icmp, ipv6-icmp } accept
                oifname "enp2s0" accept
                oifname "enp3s0" goto filter_FWDO_external
                ct state invalid log prefix "STATE_INVALID_DROP: "
                ct state invalid drop
                log prefix "FINAL_REJECT: "
                reject with icmpx type admin-prohibited
        }

        chain filter_FWDO_external {
                ct state new,untracked accept
                log prefix "filter_FWDO_external_REJECT: "
                reject with icmpx type admin-prohibited
        }

        chain filter_FWDI_external {
                log prefix "filter_FWDI_external_REJECT: "
                reject with icmpx type admin-prohibited
        }
}
table ip firewalld {
        chain nat_POSTROUTING {
                type nat hook postrouting priority 110; policy accept;
                oifname "enp3s0" and oifname != "lo" masquerade
        }
}
table ip6 firewalld {
        chain nat_POSTROUTING {
                type nat hook postrouting priority 110; policy accept;
                oifname "enp3s0" and oifname != "lo" masquerade
        }
}
Tables that have "firewalld" in the name are rules defined with normal zone config.
"table ip filter" and "table ip nat" are probably "direct rules".


Table "ip nat" does masquerade on enp3s0 in priority 100.
Table "ip firewalld" does masquerade on enp3s0 in priority 110.
I have no idea what masquerading twice leads to.
(The "ip" are for IPv4 packets. There is only one masquerade rule for IPv6 packets.)

The first rule in chain filter_FORWARD accepts all ESTABLISHED,RELATED traffic to all directions. That is on priority 10.
The incoming ESTABLISHED,RELATED you have already accepted on priority 0 in chain FORWARD.

Chain filter_FWDO_external accepts outgoing NEW,UNTRACKED traffic. Outgoing ESTABLISHED,RELATED was accepted earlier.


In the filter rules there is unnecessary redundancy.

In the nat rules there is very suspicious redundancy. That should be dealt with first.

amarand
Posts: 38
Joined: 2006/09/12 19:09:07
Location: Columbus, Ohio, USA
Contact:

Re: Firewalld Blocking RELATED,ESTABLISHED Inbound Since Update

Post by amarand » 2020/05/01 22:41:58

jlehtone wrote:
2020/05/01 22:24:38
These are relevant parts of the ruleset, AFAIK. Some might be now in pseudo-syntax.

Code: Select all

table ip filter {
        chain FORWARD {
                type filter hook forward priority 0; policy accept;
                iifname "enp2s0" oifname "enp3s0" counter packets 4615527 bytes 2521888687 accept
                iifname "enp3s0" oifname "enp2s0" ct state related,established counter packets 3295924 bytes 1845458107 accept
        }
}
table ip nat {
        chain POSTROUTING {
                type nat hook postrouting priority 100; policy accept;
                oifname "enp3s0" counter packets 28282 bytes 1972845 masquerade
        }
}
table inet firewalld {
        chain filter_FORWARD {
                type filter hook forward priority 10; policy accept;
                ct state established,related accept
                ct status dnat accept
                iifname "lo" accept
                iifname "enp2s0" accept
                iifname "enp3s0" goto filter_FWDI_external
                meta l4proto { icmp, ipv6-icmp } accept
                oifname "enp2s0" accept
                oifname "enp3s0" goto filter_FWDO_external
                ct state invalid log prefix "STATE_INVALID_DROP: "
                ct state invalid drop
                log prefix "FINAL_REJECT: "
                reject with icmpx type admin-prohibited
        }

        chain filter_FWDO_external {
                ct state new,untracked accept
                log prefix "filter_FWDO_external_REJECT: "
                reject with icmpx type admin-prohibited
        }

        chain filter_FWDI_external {
                log prefix "filter_FWDI_external_REJECT: "
                reject with icmpx type admin-prohibited
        }
}
table ip firewalld {
        chain nat_POSTROUTING {
                type nat hook postrouting priority 110; policy accept;
                oifname "enp3s0" and oifname != "lo" masquerade
        }
}
table ip6 firewalld {
        chain nat_POSTROUTING {
                type nat hook postrouting priority 110; policy accept;
                oifname "enp3s0" and oifname != "lo" masquerade
        }
}
Tables that have "firewalld" in the name are rules defined with normal zone config.
"table ip filter" and "table ip nat" are probably "direct rules".


Table "ip nat" does masquerade on enp3s0 in priority 100.
Table "ip firewalld" does masquerade on enp3s0 in priority 110.
I have no idea what masquerading twice leads to.
(The "ip" are for IPv4 packets. There is only one masquerade rule for IPv6 packets.)

The first rule in chain filter_FORWARD accepts all ESTABLISHED,RELATED traffic to all directions. That is on priority 10.
The incoming ESTABLISHED,RELATED you have already accepted on priority 0 in chain FORWARD.

Chain filter_FWDO_external accepts outgoing NEW,UNTRACKED traffic. Outgoing ESTABLISHED,RELATED was accepted earlier.


In the filter rules there is unnecessary redundancy.

In the nat rules there is very suspicious redundancy. That should be dealt with first.
Is it possible that these two redundancies could be created by the firewalld system itself? Or the firewall-config GUI? Because I'm not sure how double rules could have been entered. I'm also not 100% sure which parts you're talking about, map to the directions I used from CentOS 7 and firewalld.

Post Reply