Firewalld Blocking RELATED,ESTABLISHED Inbound Since Update

Issues related to configuring your network
User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Firewalld Blocking RELATED,ESTABLISHED Inbound Since Update

Post by TrevorH » 2020/05/03 16:29:38

That sounds like a fairly accurate summary to me. Not sure about the last point - the other alternative is raise a ticket on bugzilla.redhat.com and ask them to fix whatever the "deficiency" is.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

amarand
Posts: 38
Joined: 2006/09/12 19:09:07
Location: Columbus, Ohio, USA
Contact:

Re: Firewalld Blocking RELATED,ESTABLISHED Inbound Since Update

Post by amarand » 2020/05/03 16:32:27

TrevorH wrote:
2020/05/03 16:29:38
That sounds like a fairly accurate summary to me. Not sure about the last point - the other alternative is raise a ticket on bugzilla.redhat.com and ask them to fix whatever the "deficiency" is.
Oh, and I just meant "deficiency" in a generic way. Something's broken, I need to troubleshoot it at the "nftables" level, firewalld is not going to help me to do that. Firewalld isn't really a standalone firewall, it uses nftables on the backend. That's the part I just understood when you explained it to me. There are a lot of moving parts, and I've been successfully using firewalld for long enough, without having to tinker with it, that I never realized there might be something else - some other moving part - that could be at fault.

amarand
Posts: 38
Joined: 2006/09/12 19:09:07
Location: Columbus, Ohio, USA
Contact:

Re: Firewalld Blocking RELATED,ESTABLISHED Inbound Since Update

Post by amarand » 2020/05/03 16:35:25

TrevorH wrote:
2020/05/03 16:29:38
That sounds like a fairly accurate summary to me. Not sure about the last point - the other alternative is raise a ticket on bugzilla.redhat.com and ask them to fix whatever the "deficiency" is.
Also, I suspect there's a bug, or a change was made, in firewalld which is causing my current situation. That's why I created a bug report on CentOS. Was that the incorrect place to report the bug? I know it gets a little complicated with upstream versus downstream.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Firewalld Blocking RELATED,ESTABLISHED Inbound Since Update

Post by jlehtone » 2020/05/03 17:45:59

Just to be clear, are you now talking about the "only firewalld.service and only internal and external zones", or do you still have the other stuff?

kauer
Posts: 16
Joined: 2020/05/03 07:47:30

Re: Firewalld Blocking RELATED,ESTABLISHED Inbound Since Update

Post by kauer » 2020/05/03 17:51:39

I've had more of a look at nf_tables now, and while it is still very early days it looks to me as if a huge chunk of the default ruleset is actually only there because firewalld sets up a bunch of stuff you and I don't need.

firewalld sets up tables for inet, ip and ip6. These occupy 318 lines of a total 491 lines. Of the remaining 172 lines, most looks like boilerplate, and unlikely to need touching.

The firewalld stuff looks as if it can be hugely reduced in size if one's needs are few. It will take quite a bit longer to unpack it, but it has a reasonably consistent logic and while the syntax is different it is very like iptables in many ways - pass the packet through sequential rules within a chain, test and jump to new chains, repeat until a rule disposes of the packet. If you run out of rules, do the default.

For now, I'm taking the path of least resistance. I'll control outbound packets in the router and just control inbound traffic with firewalld. But handcrafting a NAtting interface with inbound and outbound filtering on protocol/port doesn't look unachievable, especially with the firewalld tables there for inspiration :-)

Regards, K.

amarand
Posts: 38
Joined: 2006/09/12 19:09:07
Location: Columbus, Ohio, USA
Contact:

Re: Firewalld Blocking RELATED,ESTABLISHED Inbound Since Update

Post by amarand » 2020/05/03 18:03:11

jlehtone wrote:
2020/05/03 17:45:59
Just to be clear, are you now talking about the "only firewalld.service and only internal and external zones", or do you still have the other stuff?
That's what I'm confused about. Right now, I have firewalld with two active zones, same as before, Internal and External. The output of the firewalld rules looks very similar to before. BUT, as has been mentioned by TrevorH previously, I may have done something wrong: modified the nftables rules directly, while firewalld was managing those rules.

SO...I may have to start over from scratch again, decide if I want to try firewalld (without messing with any nft write commands), or if I want to remove firewalld, and just dive deep into the nfchains/nft write commands, and do this in, what is apparently the "right" way to do it?

It's possible that I may have, in having firewalld running at the same time as nfchains, messed things up by issuing nft add commands.

In fact, I've been watching the logs, and I'm also rejecting some internal-to-server traffic, which is a bit annoying, and I don't understand why. Really, all Internal systems should have full, unencumbered access to both the server and the outside world, and the only services that should be coming back in are packets related to the latter. That's it.

Now, I do have that one SSH rule, but that only applies when I have a need to access the server remotely, which doesn't happen a lot recently, because I've been stuck at home nearly two months. So even if that external SSH rule weren't working, I wouldn't care.

I simply want all Internal traffic to pass to and through the server, and all return traffic to be accepted. All other packets destined for the server (except maybe http and https and maybe stmp/imaps/imap) should be dropped. I don't use the home server as a production web-server, just for testing. I also don't use the home server for mail - but again, I do use it for mail testing (inbound and outbound). All of my primary services are co-located.

What's frustrating is, this should be a super easy configuration, and it always has been in the past. All the way back to ipchains, there have always been well-written guides for how to configure the "home router" configuration, and I've always been able to open up the ports that I need, configure port forwarding to inside hosts, get all the NAT/masquerade stuff working....

And then with firewalld, I was a little concerned, because it was a new thing, but it did seem easier to figure out and, again, my use case is not complex by any means. It handled everything very well. The only complexity was a "rich rule" was required for allowing SSH from a specific class-C. That allowed me to effectively block all of the brute-force hacking attacks on my server.

And then something updated.... I don't know if it was the update from CentOS 8.0 to 8.1, or if it was the recent firewalld updates to 0.7.0_5, but one of those updates broke things.

At first I thought it was my ISP, because we've had outages in the neighborhood this past week, and they've also admitted to being over-capacity. So I went with that assumption, and spent a week complaining (nicely) to my ISP about connection issues (which weren't really there).

I finally decided to bypass the server/firewall by connecting a laptop directly to the modem and all the issues disappeared.

It was then that I decided to enable firewalld logging, and started seeing all the traffic being blocked, seemingly randomly, though, because here I am posting in a forum, and that's working fine. But over on Facebook, when I try to open up certain things, it hangs/locks. When I try to authenticate to Apple Music, the authentication server can't send packets back, because the firewall is blocking them. It's maddeningly random, and I have no idea how to fix it.

Which is why I keep coming back to "this is a really simple configuration that I've had for decades, what broke and how can I fix it?"

The "how to" documentation isn't out there yet, because, while firewalld isn't entirely new to CentOS, nftables is, so not a lot of people seem to have written basic step-by-step directions for getting this very basic configuration to work under CentOS 8.1.

So, there we have it. Hopefully this post wasn't completely redundant. I feel like I've ranted about this before.

amarand
Posts: 38
Joined: 2006/09/12 19:09:07
Location: Columbus, Ohio, USA
Contact:

Re: Firewalld Blocking RELATED,ESTABLISHED Inbound Since Update

Post by amarand » 2020/05/03 18:05:23

kauer wrote:
2020/05/03 17:51:39
I've had more of a look at nf_tables now, and while it is still very early days it looks to me as if a huge chunk of the default ruleset is actually only there because firewalld sets up a bunch of stuff you and I don't need.
And when people ask me if CentOS (or Red Hat) 8 is ready for production, it's this implementation of things that are in their "very early days" that leads me to say "no, not really." Or a qualified "yes," but not really. In my heart of hearts, I feel like I should have stuck with CentOS 7, or at least not upgraded from CentOS 8.0 to 8.1, but really, this is the way we (are forced to) learn, right? :D

amarand
Posts: 38
Joined: 2006/09/12 19:09:07
Location: Columbus, Ohio, USA
Contact:

Re: Firewalld Blocking RELATED,ESTABLISHED Inbound Since Update

Post by amarand » 2020/05/03 18:14:08

amarand wrote:
2020/05/03 18:05:23
kauer wrote:
2020/05/03 17:51:39
I've had more of a look at nf_tables now, and while it is still very early days it looks to me as if a huge chunk of the default ruleset is actually only there because firewalld sets up a bunch of stuff you and I don't need.
And when people ask me if CentOS (or Red Hat) 8 is ready for production, it's this implementation of things that are in their "very early days" that leads me to say "no, not really." Or a qualified "yes," but not really. In my heart of hearts, I feel like I should have stuck with CentOS 7, or at least not upgraded from CentOS 8.0 to 8.1, but really, this is the way we (are forced to) learn, right? :D
I also realize that if I had spent half of the time I've spent playing Animal Crossing, trying to learn nftables, I'd probably be an expert by now. No hyperbole. So.... Yeah. :lol:

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Firewalld Blocking RELATED,ESTABLISHED Inbound Since Update

Post by jlehtone » 2020/05/03 19:14:56

kauer wrote:
2020/05/03 17:51:39
I've had more of a look at nf_tables now, and while it is still very early days it looks to me as if a huge chunk of the default ruleset is actually only there because firewalld sets up a bunch of stuff you and I don't need.
Make a default CentOS 7 install. List:

Code: Select all

iptables -t filter -S
iptables -t nat -S
iptables -t mangle -S
Nearly as much as in CentOS 8, just in iptables syntax.

The bunch that you and I don't need is there because firewalld needs it and because you and I are not supposed to even look at it.

amarand
Posts: 38
Joined: 2006/09/12 19:09:07
Location: Columbus, Ohio, USA
Contact:

Re: Firewalld Blocking RELATED,ESTABLISHED Inbound Since Update

Post by amarand » 2020/05/03 22:12:06

So I've fiddled with this all day, and now I'm back where I started from this morning.

A clean installation of firewalld, required services configured internally and externally.

NAT and masquerade appear to be working aside from some return packets being blocked, as mentioned. The two that I've noticed are Facebook and Apple. This keeps me from using any services with issues like this. I suspect this is also what's causing me intermittent VPN connection issues during the week. I was hoping to get this all resolved today, but I feel like I've hit a (fire)wall for today.

Can anyone offer guidance on the correct way to do the following?

Under CentOS 8.1:

1) Remove all configuration from firewalld (I'm assuming these are the /etc/firewalld and /usr/lib/firewalld, but it's good to ask.)
(I want to do this because I want to make absolutely certain that there are no lingering configuration issues.)
2) Remove all configuration from nftables

If my configuration is best done with nftables, and just leave firewalld out of it, that's fine...however, it would be useful to have a soup-to-nuts, beginning to end list of commands to bring nftables from "blank" to a fully operational standard NAT/masquerade configuration.

Internal network: 192.168.1.0/24 (enp2s0 - Trusted inside)
External IP Example: 65.64.63.62 (enp3s0 - Internet outside)
(Note: this is not my actual external static IP address.)

If there is a way to do a stateful firewall using firewalld, that's awesome.

I just want the inside hosts to be able to talk to the Internet, and I want all return packets to be accepted. Right now the firewall is blocking a lot of SPT=443 from various locations (Apple and Facebook, as mentioned earlier). I can see in the logs where the DPT is incrementing and maybe semi-random?

Code: Select all

May  3 18:04:54 home kernel: STATE_INVALID_DROP: IN=enp3s0 OUT= MAC=(28.Character.MAC) SRC=157.240.18.35 DST=65.64.63.62 LEN=47 TOS=0x00 PREC=0x00 TTL=84 ID=49495 DF PROTO=TCP SPT=443 DPT=16245 WINDOW=110 RES=0x00 ACK PSH FIN URGP=0
May  3 18:04:57 home kernel: STATE_INVALID_DROP: IN=enp3s0 OUT= MAC=(28.Character.MAC) SRC=157.240.18.35 DST=65.64.63.62 LEN=47 TOS=0x00 PREC=0x00 TTL=83 ID=11001 DF PROTO=TCP SPT=443 DPT=16249 WINDOW=110 RES=0x00 ACK PSH FIN URGP=0
For some reason, the firewall also appears to be blocking...is that broadcast/unicast?

Code: Select all

May  3 18:04:55 home kernel: FINAL_REJECT: IN=enp2s0 OUT= MAC=(28.Character.MAC) SRC=fe80:0000:0000:0000:9134:9150:ead5:553b DST=ff02:0000:0000:0000:0000:0000:0001:0003 LEN=70 TC=0 HOPLIMIT=1 FLOWLBL=931183 PROTO=UDP SPT=52959 DPT=5355 LEN=30
May  3 18:04:55 home kernel: FINAL_REJECT: IN=enp2s0 OUT= MAC=(28.Character.MAC) SRC=fe80:0000:0000:0000:9134:9150:ead5:553b DST=ff02:0000:0000:0000:0000:0000:0001:0003 LEN=70 TC=0 HOPLIMIT=1 FLOWLBL=862423 PROTO=UDP SPT=63571 DPT=5355 LEN=30
May  3 18:04:56 home kernel: FINAL_REJECT: IN=enp2s0 OUT= MAC=(28.Character.MAC) SRC=fe80:0000:0000:0000:9134:9150:ead5:553b DST=ff02:0000:0000:0000:0000:0000:0001:0003 LEN=70 TC=0 HOPLIMIT=1 FLOWLBL=931183 PROTO=UDP SPT=52959 DPT=5355 LEN=30
May  3 18:04:56 home kernel: FINAL_REJECT: IN=enp2s0 OUT= MAC=(28.Character.MAC) SRC=fe80:0000:0000:0000:9134:9150:ead5:553b DST=ff02:0000:0000:0000:0000:0000:0001:0003 LEN=70 TC=0 HOPLIMIT=1 FLOWLBL=862423 PROTO=UDP SPT=63571 DPT=5355 LEN=30

Code: Select all

May  3 18:04:55 home kernel: FINAL_REJECT: IN=enp2s0 OUT= MAC=(28.Character.MAC) SRC=192.168.1.51 DST=224.0.0.252 LEN=50 TOS=0x00 PREC=0x00 TTL=1 ID=9542 PROTO=UDP SPT=52959 DPT=5355 LEN=30
May  3 18:04:55 home kernel: FINAL_REJECT: IN=enp2s0 OUT= MAC=(28.Character.MAC) SRC=192.168.1.51 DST=224.0.0.252 LEN=50 TOS=0x00 PREC=0x00 TTL=1 ID=9543 PROTO=UDP SPT=63571 DPT=5355 LEN=30
May  3 18:04:56 home kernel: FINAL_REJECT: IN=enp2s0 OUT= MAC=(28.Character.MAC) SRC=192.168.1.51 DST=224.0.0.252 LEN=50 TOS=0x00 PREC=0x00 TTL=1 ID=9544 PROTO=UDP SPT=52959 DPT=5355 LEN=30
May  3 18:04:56 home kernel: FINAL_REJECT: IN=enp2s0 OUT= MAC=(28.Character.MAC) SRC=192.168.1.51 DST=224.0.0.252 LEN=50 TOS=0x00 PREC=0x00 TTL=1 ID=9545 PROTO=UDP SPT=63571 DPT=5355 LEN=30
Here is my current nftables (nft list ruleset):

Code: Select all

table bridge filter {
        chain input {
                type filter hook input priority -200; policy accept;
        }

        chain forward {
                type filter hook forward priority -200; policy accept;
        }

        chain output {
                type filter hook output priority 200; policy accept;
        }

        chain INPUT {
                type filter hook input priority -200; policy accept;
        }

        chain FORWARD {
                type filter hook forward priority -200; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority -200; policy accept;
        }
}
table inet filter {
        chain input {
                type filter hook input priority 0; policy accept;
        }

        chain forward {
                type filter hook forward priority 0; policy accept;
        }

        chain output {
                type filter hook output priority 0; policy accept;
        }
}
table ip filter {
        chain input {
                type filter hook input priority 0; policy accept;
        }

        chain forward {
                type filter hook forward priority 0; policy accept;
        }

        chain output {
                type filter hook output priority 0; policy accept;
        }
}
table ip mangle {
        chain output {
                type route hook output priority -150; policy accept;
        }
}
table ip nat {
        chain prerouting {
                type nat hook prerouting priority -100; policy accept;
        }

        chain input {
                type nat hook input priority 100; policy accept;
        }

        chain output {
                type nat hook output priority -100; policy accept;
        }

        chain postrouting {
                type nat hook postrouting priority 100; policy accept;
        }
}
table ip6 filter {
        chain input {
                type filter hook input priority 0; policy accept;
        }

        chain forward {
                type filter hook forward priority 0; policy accept;
        }

        chain output {
                type filter hook output priority 0; policy accept;
        }
}
table ip6 mangle {
        chain output {
                type route hook output priority -150; policy accept;
        }
}
table ip6 nat {
        chain prerouting {
                type nat hook prerouting priority -100; policy accept;
        }

        chain input {
                type nat hook input priority 100; policy accept;
        }

        chain output {
                type nat hook output priority -100; policy accept;
        }

        chain postrouting {
                type nat hook postrouting priority 100; policy accept;
        }
}
table ip security {
        chain INPUT {
                type filter hook input priority 150; policy accept;
        }

        chain FORWARD {
                type filter hook forward priority 150; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority 150; policy accept;
        }
}
table ip raw {
        chain PREROUTING {
                type filter hook prerouting priority -300; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority -300; policy accept;
        }
}
table ip6 security {
        chain INPUT {
                type filter hook input priority 150; policy accept;
        }

        chain FORWARD {
                type filter hook forward priority 150; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority 150; policy accept;
        }
}
table ip6 raw {
        chain PREROUTING {
                type filter hook prerouting priority -300; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority -300; policy accept;
        }
}
table bridge nat {
        chain PREROUTING {
                type filter hook prerouting priority -300; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority 100; policy accept;
        }

        chain POSTROUTING {
                type filter hook postrouting priority 300; policy accept;
        }
}
table inet firewalld {
        ct helper helper-netbios-ns-udp {
                type "netbios-ns" protocol udp

                l3proto ip
        }

        chain raw_PREROUTING {
                type filter hook prerouting priority -290; policy accept;
                icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
                meta nfproto ipv6 fib saddr . iif oif missing log prefix "rpfilter_DROP: " drop
                jump raw_PREROUTING_ZONES
        }

        chain raw_PREROUTING_ZONES {
                iifname "enp2s0" goto raw_PRE_internal
                iifname "enp3s0" goto raw_PRE_external
                goto raw_PRE_public
        }

        chain mangle_PREROUTING {
                type filter hook prerouting priority -140; policy accept;
                jump mangle_PREROUTING_ZONES
        }

        chain mangle_PREROUTING_ZONES {
                iifname "enp2s0" goto mangle_PRE_internal
                iifname "enp3s0" goto mangle_PRE_external
                goto mangle_PRE_public
        }

        chain filter_INPUT {
                type filter hook input priority 10; policy accept;
                ct state established,related accept
                ct status dnat accept
                iifname "lo" accept
                jump filter_INPUT_ZONES
                ct state invalid log prefix "STATE_INVALID_DROP: "
                ct state invalid drop
                log prefix "FINAL_REJECT: "
                reject with icmpx type admin-prohibited
        }

        chain filter_FORWARD {
                type filter hook forward priority 10; policy accept;
                ct state established,related accept
                ct status dnat accept
                iifname "lo" accept
                ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } log prefix "RFC3964_IPv4_REJECT: " reject with icmpv6 type addr-unreachable
                jump filter_FORWARD_IN_ZONES
                jump filter_FORWARD_OUT_ZONES
                ct state invalid log prefix "STATE_INVALID_DROP: "
                ct state invalid drop
                log prefix "FINAL_REJECT: "
                reject with icmpx type admin-prohibited
        }

        chain filter_OUTPUT {
                type filter hook output priority 10; policy accept;
                oifname "lo" accept
                ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } log prefix "RFC3964_IPv4_REJECT: " reject with icmpv6 type addr-unreachable
        }

        chain filter_INPUT_ZONES {
                iifname "enp2s0" goto filter_IN_internal
                iifname "enp3s0" goto filter_IN_external
                goto filter_IN_public
        }

        chain filter_FORWARD_IN_ZONES {
                iifname "enp2s0" goto filter_FWDI_internal
                iifname "enp3s0" goto filter_FWDI_external
                goto filter_FWDI_public
        }

        chain filter_FORWARD_OUT_ZONES {
                oifname "enp2s0" goto filter_FWDO_internal
                oifname "enp3s0" goto filter_FWDO_external
                goto filter_FWDO_public
        }

        chain raw_PRE_public {
                jump raw_PRE_public_pre
                jump raw_PRE_public_log
                jump raw_PRE_public_deny
                jump raw_PRE_public_allow
                jump raw_PRE_public_post
        }

        chain raw_PRE_public_pre {
        }

        chain raw_PRE_public_log {
        }

        chain raw_PRE_public_deny {
        }

        chain raw_PRE_public_allow {
        }

        chain raw_PRE_public_post {
        }

        chain filter_IN_public {
                jump filter_IN_public_pre
                jump filter_IN_public_log
                jump filter_IN_public_deny
                jump filter_IN_public_allow
                jump filter_IN_public_post
                meta l4proto { icmp, ipv6-icmp } accept
        }

        chain filter_IN_public_pre {
        }

        chain filter_IN_public_log {
        }

        chain filter_IN_public_deny {
        }

        chain filter_IN_public_allow {
                tcp dport ssh ct state new,untracked accept
                ip6 daddr fe80::/64 udp dport dhcpv6-client ct state new,untracked accept
                tcp dport 9090 ct state new,untracked accept
        }

        chain filter_IN_public_post {
        }

        chain filter_FWDI_public {
                jump filter_FWDI_public_pre
                jump filter_FWDI_public_log
                jump filter_FWDI_public_deny
                jump filter_FWDI_public_allow
                jump filter_FWDI_public_post
                meta l4proto { icmp, ipv6-icmp } accept
        }

        chain filter_FWDI_public_pre {
        }

        chain filter_FWDI_public_log {
        }

        chain filter_FWDI_public_deny {
        }

        chain filter_FWDI_public_allow {
        }

        chain filter_FWDI_public_post {
        }

        chain mangle_PRE_public {
                jump mangle_PRE_public_pre
                jump mangle_PRE_public_log
                jump mangle_PRE_public_deny
                jump mangle_PRE_public_allow
                jump mangle_PRE_public_post
        }

        chain mangle_PRE_public_pre {
        }

        chain mangle_PRE_public_log {
        }

        chain mangle_PRE_public_deny {
        }

        chain mangle_PRE_public_allow {
        }

        chain mangle_PRE_public_post {
        }

        chain filter_FWDO_public {
                jump filter_FWDO_public_pre
                jump filter_FWDO_public_log
                jump filter_FWDO_public_deny
                jump filter_FWDO_public_allow
                jump filter_FWDO_public_post
        }

        chain filter_FWDO_public_pre {
        }

        chain filter_FWDO_public_log {
        }

        chain filter_FWDO_public_deny {
        }

        chain filter_FWDO_public_allow {
        }

        chain filter_FWDO_public_post {
        }

        chain raw_PRE_external {
                jump raw_PRE_external_pre
                jump raw_PRE_external_log
                jump raw_PRE_external_deny
                jump raw_PRE_external_allow
                jump raw_PRE_external_post
        }

        chain raw_PRE_external_pre {
        }

        chain raw_PRE_external_log {
        }

        chain raw_PRE_external_deny {
        }

        chain raw_PRE_external_allow {
        }

        chain raw_PRE_external_post {
        }

        chain filter_IN_external {
                jump filter_IN_external_pre
                jump filter_IN_external_log
                jump filter_IN_external_deny
                jump filter_IN_external_allow
                jump filter_IN_external_post
                meta l4proto { icmp, ipv6-icmp } accept
        }

        chain filter_IN_external_pre {
        }

        chain filter_IN_external_log {
        }

        chain filter_IN_external_deny {
        }

        chain filter_IN_external_allow {
                tcp dport ssh ct state new,untracked accept
        }

        chain filter_IN_external_post {
        }

        chain filter_FWDO_external {
                jump filter_FWDO_external_pre
                jump filter_FWDO_external_log
                jump filter_FWDO_external_deny
                jump filter_FWDO_external_allow
                jump filter_FWDO_external_post
        }

        chain filter_FWDO_external_pre {
        }

        chain filter_FWDO_external_log {
        }

        chain filter_FWDO_external_deny {
        }

        chain filter_FWDO_external_allow {
                ct state new,untracked accept
        }

        chain filter_FWDO_external_post {
        }

        chain filter_FWDI_external {
                jump filter_FWDI_external_pre
                jump filter_FWDI_external_log
                jump filter_FWDI_external_deny
                jump filter_FWDI_external_allow
                jump filter_FWDI_external_post
                meta l4proto { icmp, ipv6-icmp } accept
        }

        chain filter_FWDI_external_pre {
        }

        chain filter_FWDI_external_log {
        }

        chain filter_FWDI_external_deny {
        }

        chain filter_FWDI_external_allow {
        }

        chain filter_FWDI_external_post {
        }

        chain mangle_PRE_external {
                jump mangle_PRE_external_pre
                jump mangle_PRE_external_log
                jump mangle_PRE_external_deny
                jump mangle_PRE_external_allow
                jump mangle_PRE_external_post
        }

        chain mangle_PRE_external_pre {
        }

        chain mangle_PRE_external_log {
        }

        chain mangle_PRE_external_deny {
        }

        chain mangle_PRE_external_allow {
        }

        chain mangle_PRE_external_post {
        }

        chain raw_PRE_internal {
                jump raw_PRE_internal_pre
                jump raw_PRE_internal_log
                jump raw_PRE_internal_deny
                jump raw_PRE_internal_allow
                jump raw_PRE_internal_post
        }

        chain raw_PRE_internal_pre {
        }

        chain raw_PRE_internal_log {
        }

        chain raw_PRE_internal_deny {
        }

        chain raw_PRE_internal_allow {
        }

        chain raw_PRE_internal_post {
        }

        chain filter_IN_internal {
                jump filter_IN_internal_pre
                jump filter_IN_internal_log
                jump filter_IN_internal_deny
                jump filter_IN_internal_allow
                jump filter_IN_internal_post
                meta l4proto { icmp, ipv6-icmp } accept
        }

        chain filter_IN_internal_pre {
        }

        chain filter_IN_internal_log {
        }

        chain filter_IN_internal_deny {
        }

        chain filter_IN_internal_allow {
                tcp dport ssh ct state new,untracked accept
                ip daddr 224.0.0.251 udp dport mdns ct state new,untracked accept
                ip6 daddr ff02::fb udp dport mdns ct state new,untracked accept
                udp dport netbios-ns ct helper set "helper-netbios-ns-udp"
                udp dport netbios-ns ct state new,untracked accept
                udp dport netbios-dgm ct state new,untracked accept
                ip6 daddr fe80::/64 udp dport dhcpv6-client ct state new,untracked accept
                tcp dport 9090 ct state new,untracked accept
                tcp dport 5900-5903 ct state new,untracked accept
        }

        chain filter_IN_internal_post {
        }

        chain filter_FWDI_internal {
                jump filter_FWDI_internal_pre
                jump filter_FWDI_internal_log
                jump filter_FWDI_internal_deny
                jump filter_FWDI_internal_allow
                jump filter_FWDI_internal_post
                meta l4proto { icmp, ipv6-icmp } accept
        }

        chain filter_FWDI_internal_pre {
        }

        chain filter_FWDI_internal_log {
        }

        chain filter_FWDI_internal_deny {
        }

        chain filter_FWDI_internal_allow {
        }

        chain filter_FWDI_internal_post {
        }

        chain mangle_PRE_internal {
                jump mangle_PRE_internal_pre
                jump mangle_PRE_internal_log
                jump mangle_PRE_internal_deny
                jump mangle_PRE_internal_allow
                jump mangle_PRE_internal_post
        }

        chain mangle_PRE_internal_pre {
        }

        chain mangle_PRE_internal_log {
        }

        chain mangle_PRE_internal_deny {
        }

        chain mangle_PRE_internal_allow {
        }

        chain mangle_PRE_internal_post {
        }

        chain filter_FWDO_internal {
                jump filter_FWDO_internal_pre
                jump filter_FWDO_internal_log
                jump filter_FWDO_internal_deny
                jump filter_FWDO_internal_allow
                jump filter_FWDO_internal_post
        }

        chain filter_FWDO_internal_pre {
        }

        chain filter_FWDO_internal_log {
        }

        chain filter_FWDO_internal_deny {
        }

        chain filter_FWDO_internal_allow {
        }

        chain filter_FWDO_internal_post {
        }
}
table ip firewalld {
        chain nat_PREROUTING {
                type nat hook prerouting priority -90; policy accept;
                jump nat_PREROUTING_ZONES
        }

        chain nat_PREROUTING_ZONES {
                iifname "enp2s0" goto nat_PRE_internal
                iifname "enp3s0" goto nat_PRE_external
                goto nat_PRE_public
        }

        chain nat_POSTROUTING {
                type nat hook postrouting priority 110; policy accept;
                jump nat_POSTROUTING_ZONES
        }

        chain nat_POSTROUTING_ZONES {
                oifname "enp2s0" goto nat_POST_internal
                oifname "enp3s0" goto nat_POST_external
                goto nat_POST_public
        }

        chain nat_PRE_public {
                jump nat_PRE_public_pre
                jump nat_PRE_public_log
                jump nat_PRE_public_deny
                jump nat_PRE_public_allow
                jump nat_PRE_public_post
        }

        chain nat_PRE_public_pre {
        }

        chain nat_PRE_public_log {
        }

        chain nat_PRE_public_deny {
        }

        chain nat_PRE_public_allow {
        }

        chain nat_PRE_public_post {
        }

        chain nat_POST_public {
                jump nat_POST_public_pre
                jump nat_POST_public_log
                jump nat_POST_public_deny
                jump nat_POST_public_allow
                jump nat_POST_public_post
        }

        chain nat_POST_public_pre {
        }

        chain nat_POST_public_log {
        }

        chain nat_POST_public_deny {
        }

        chain nat_POST_public_allow {
        }

        chain nat_POST_public_post {
        }

        chain nat_POST_external {
                jump nat_POST_external_pre
                jump nat_POST_external_log
                jump nat_POST_external_deny
                jump nat_POST_external_allow
                jump nat_POST_external_post
        }

        chain nat_POST_external_pre {
        }

        chain nat_POST_external_log {
        }

        chain nat_POST_external_deny {
        }

        chain nat_POST_external_allow {
                oifname != "lo" masquerade
        }

        chain nat_POST_external_post {
        }

        chain nat_PRE_external {
                jump nat_PRE_external_pre
                jump nat_PRE_external_log
                jump nat_PRE_external_deny
                jump nat_PRE_external_allow
                jump nat_PRE_external_post
        }

        chain nat_PRE_external_pre {
        }

        chain nat_PRE_external_log {
        }

        chain nat_PRE_external_deny {
        }

        chain nat_PRE_external_allow {
        }

        chain nat_PRE_external_post {
        }

        chain nat_PRE_internal {
                jump nat_PRE_internal_pre
                jump nat_PRE_internal_log
                jump nat_PRE_internal_deny
                jump nat_PRE_internal_allow
                jump nat_PRE_internal_post
        }

        chain nat_PRE_internal_pre {
        }

        chain nat_PRE_internal_log {
        }

        chain nat_PRE_internal_deny {
        }

        chain nat_PRE_internal_allow {
        }

        chain nat_PRE_internal_post {
        }

        chain nat_POST_internal {
                jump nat_POST_internal_pre
                jump nat_POST_internal_log
                jump nat_POST_internal_deny
                jump nat_POST_internal_allow
                jump nat_POST_internal_post
        }

        chain nat_POST_internal_pre {
        }

        chain nat_POST_internal_log {
        }

        chain nat_POST_internal_deny {
        }

        chain nat_POST_internal_allow {
        }

        chain nat_POST_internal_post {
        }
}
table ip6 firewalld {
        chain nat_PREROUTING {
                type nat hook prerouting priority -90; policy accept;
                jump nat_PREROUTING_ZONES
        }

        chain nat_PREROUTING_ZONES {
                iifname "enp2s0" goto nat_PRE_internal
                iifname "enp3s0" goto nat_PRE_external
                goto nat_PRE_public
        }

        chain nat_POSTROUTING {
                type nat hook postrouting priority 110; policy accept;
                jump nat_POSTROUTING_ZONES
        }

        chain nat_POSTROUTING_ZONES {
                oifname "enp2s0" goto nat_POST_internal
                oifname "enp3s0" goto nat_POST_external
                goto nat_POST_public
        }

        chain nat_PRE_public {
                jump nat_PRE_public_pre
                jump nat_PRE_public_log
                jump nat_PRE_public_deny
                jump nat_PRE_public_allow
                jump nat_PRE_public_post
        }

        chain nat_PRE_public_pre {
        }

        chain nat_PRE_public_log {
        }

        chain nat_PRE_public_deny {
        }

        chain nat_PRE_public_allow {
        }

        chain nat_PRE_public_post {
        }

        chain nat_POST_public {
                jump nat_POST_public_pre
                jump nat_POST_public_log
                jump nat_POST_public_deny
                jump nat_POST_public_allow
                jump nat_POST_public_post
        }

        chain nat_POST_public_pre {
        }

        chain nat_POST_public_log {
        }

        chain nat_POST_public_deny {
        }

        chain nat_POST_public_allow {
        }

        chain nat_POST_public_post {
        }

        chain nat_POST_external {
                jump nat_POST_external_pre
                jump nat_POST_external_log
                jump nat_POST_external_deny
                jump nat_POST_external_allow
                jump nat_POST_external_post
        }

        chain nat_POST_external_pre {
        }

        chain nat_POST_external_log {
        }

        chain nat_POST_external_deny {
        }

        chain nat_POST_external_allow {
                oifname != "lo" masquerade
        }

        chain nat_POST_external_post {
        }

        chain nat_PRE_external {
                jump nat_PRE_external_pre
                jump nat_PRE_external_log
                jump nat_PRE_external_deny
                jump nat_PRE_external_allow
                jump nat_PRE_external_post
        }

        chain nat_PRE_external_pre {
        }

        chain nat_PRE_external_log {
        }

        chain nat_PRE_external_deny {
        }

        chain nat_PRE_external_allow {
        }

        chain nat_PRE_external_post {
        }

        chain nat_PRE_internal {
                jump nat_PRE_internal_pre
                jump nat_PRE_internal_log
                jump nat_PRE_internal_deny
                jump nat_PRE_internal_allow
                jump nat_PRE_internal_post
        }

        chain nat_PRE_internal_pre {
        }

        chain nat_PRE_internal_log {
        }

        chain nat_PRE_internal_deny {
        }

        chain nat_PRE_internal_allow {
        }

        chain nat_PRE_internal_post {
        }

        chain nat_POST_internal {
                jump nat_POST_internal_pre
                jump nat_POST_internal_log
                jump nat_POST_internal_deny
                jump nat_POST_internal_allow
                jump nat_POST_internal_post
        }

        chain nat_POST_internal_pre {
        }

        chain nat_POST_internal_log {
        }

        chain nat_POST_internal_deny {
        }

        chain nat_POST_internal_allow {
        }

        chain nat_POST_internal_post {
        }
}
I really don't know what to do at this point, but I really need to give up for the day. Any advice would be appreciated.

Post Reply