You are not logged in.
- Topics: Active | Unanswered
#1 2022-02-21 14:59:41
- ectospasm
- Member
- Registered: 2015-08-28
- Posts: 302
[SOLVED!] firewalld zone does not have Internet access
EDIT2: firewalld is exhibiting the desired behavior, hosts in my iot zone have direct access to the Internet, but no access to my home zone. Perhaps when I start adding IoT devices to my network, I'll lock it down further. It depends greatly on the device, and whether it needs to access the Internet to stay up to date. That's an exercise for the future, I have no plans to add specific devices yet. Probably the first devices will be Ubiquiti cameras, and I haven't even begun to research those. They may need to get their updates from the UniFi controller, it's unclear to me how all that works right now. Now I'm rambling, but this is most definitely SOLVED! Thanks to -thc for walking me through this!
EDIT: My firewalld setup may not be as secure as I desire, I have some confusion over implicit FORWARD/FWD chains/rules. See comments below. So far, setting the target of the iot zone to ACCEPT seems to be my solution. But that might not be what I want? I'm not sure how else to define it, it looks like both the home and iot zones are configured otherwise identically (except for my rich/direct rule preventing hosts in the iot zone from reaching the home zone).
I have an IoT (Internet of Things) zone which does not have Internet access. Here's what I get when I try to ping through an interface in this zone:
ping -I enp9s0 archlinux.org
PING archlinux.org (95.217.163.246) from 172.16.87.2 enp9s0: 56(84) bytes of data.
From _gateway (172.16.87.254) icmp_seq=1 Packet filtered
From _gateway (172.16.87.254) icmp_seq=2 Packet filtered
From _gateway (172.16.87.254) icmp_seq=3 Packet filtered
From _gateway (172.16.87.254) icmp_seq=4 Packet filteredThe gateway is my router, running Arch Linux and firewalld. Here are my active zones:
home (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: enp4s0 wg0
sources:
services: dhcpv6-client dns mdns samba-client ssh
ports:
protocols:
forward: no
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
iot (active)
target: default
icmp-block-inversion: no
interfaces: enp4s0.66
sources: 172.16.87.0/24
services: dhcp dns http https
ports:
protocols:
forward: no
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="172.16.87.0/24" destination address="10.20.30.0/24" drop
public (active)
target: default
icmp-block-inversion: no
interfaces: enp3s0
sources:
services:
ports: 61987/tcp 32400/udp 31987/udp
protocols:
forward: no
masquerade: yes
forward-ports:
port=61987:proto=tcp:toport=22:toaddr=10.20.30.87
port=32400:proto=tcp:toport=32400:toaddr=10.20.30.87
source-ports:
icmp-blocks:
rich rules:The enp4s0 interface is for my LAN (untagged VLAN). It has a VLAN (66), for which I use for my IoT network. When I had this setup in Debian, the IoT subnet definitely had Internet access. I converted my DIY router to Arch back in October, and never really tested the IoT zone until this past weekend. That's when I discovered it didn't have Internet access. The home zone definitely does have Internet access, the host I was pinging from above has an interface in that zone, and it can access the Internet. I'm using the iot zone as a kind of DMZ, where it can access the Internet, but nothing on my home network (subnet 10.20.30.0/24).
I have one direct rule (because the iot rich rule did not seem to work when I had this set up in Debian, I have not yet tested whether this is still necessary):
ipv4 raw PREROUTING 0 -s 172.16.87.0/24 -d 10.20.30.0/24 -j DROPI have the following policies:
allow-host-ipv6 (active)
priority: -15000
target: CONTINUE
ingress-zones: ANY
egress-zones: HOST
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv6" icmp-type name="neighbour-advertisement" accept
rule family="ipv6" icmp-type name="neighbour-solicitation" accept
rule family="ipv6" icmp-type name="router-advertisement" accept
rule family="ipv6" icmp-type name="redirect" accept
iot-policy (active)
priority: -1000
target: CONTINUE
ingress-zones: iot
egress-zones: ANY
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:I added the iot-policy in an attempt to get this zone's Internet access working. I also show that ip forwarding is set up for the enp4s0.66 interface:
# sysctl --all | grep 'ipv4.conf.enp4s0'
net.ipv4.conf.enp4s0.accept_local = 0
net.ipv4.conf.enp4s0.accept_redirects = 1
net.ipv4.conf.enp4s0.accept_source_route = 0
net.ipv4.conf.enp4s0.arp_accept = 0
net.ipv4.conf.enp4s0.arp_announce = 0
net.ipv4.conf.enp4s0.arp_filter = 0
net.ipv4.conf.enp4s0.arp_ignore = 0
net.ipv4.conf.enp4s0.arp_notify = 0
net.ipv4.conf.enp4s0.bc_forwarding = 0
net.ipv4.conf.enp4s0.bootp_relay = 0
net.ipv4.conf.enp4s0.disable_policy = 0
net.ipv4.conf.enp4s0.disable_xfrm = 0
net.ipv4.conf.enp4s0.drop_gratuitous_arp = 0
net.ipv4.conf.enp4s0.drop_unicast_in_l2_multicast = 0
net.ipv4.conf.enp4s0.force_igmp_version = 0
net.ipv4.conf.enp4s0.forwarding = 1
net.ipv4.conf.enp4s0.igmpv2_unsolicited_report_interval = 10000
net.ipv4.conf.enp4s0.igmpv3_unsolicited_report_interval = 1000
net.ipv4.conf.enp4s0.ignore_routes_with_linkdown = 0
net.ipv4.conf.enp4s0.log_martians = 0
net.ipv4.conf.enp4s0.mc_forwarding = 0
net.ipv4.conf.enp4s0.medium_id = 0
net.ipv4.conf.enp4s0.promote_secondaries = 1
net.ipv4.conf.enp4s0.proxy_arp = 0
net.ipv4.conf.enp4s0.proxy_arp_pvlan = 0
net.ipv4.conf.enp4s0.route_localnet = 0
net.ipv4.conf.enp4s0.rp_filter = 2
net.ipv4.conf.enp4s0.secure_redirects = 1
net.ipv4.conf.enp4s0.send_redirects = 1
net.ipv4.conf.enp4s0.shared_media = 1
net.ipv4.conf.enp4s0.src_valid_mark = 0
net.ipv4.conf.enp4s0.tag = 0
net.ipv4.conf.enp4s0/66.accept_local = 0
net.ipv4.conf.enp4s0/66.accept_redirects = 1
net.ipv4.conf.enp4s0/66.accept_source_route = 0
net.ipv4.conf.enp4s0/66.arp_accept = 0
net.ipv4.conf.enp4s0/66.arp_announce = 0
net.ipv4.conf.enp4s0/66.arp_filter = 0
net.ipv4.conf.enp4s0/66.arp_ignore = 0
net.ipv4.conf.enp4s0/66.arp_notify = 0
net.ipv4.conf.enp4s0/66.bc_forwarding = 0
net.ipv4.conf.enp4s0/66.bootp_relay = 0
net.ipv4.conf.enp4s0/66.disable_policy = 0
net.ipv4.conf.enp4s0/66.disable_xfrm = 0
net.ipv4.conf.enp4s0/66.drop_gratuitous_arp = 0
net.ipv4.conf.enp4s0/66.drop_unicast_in_l2_multicast = 0
net.ipv4.conf.enp4s0/66.force_igmp_version = 0
net.ipv4.conf.enp4s0/66.forwarding = 1
net.ipv4.conf.enp4s0/66.igmpv2_unsolicited_report_interval = 10000
net.ipv4.conf.enp4s0/66.igmpv3_unsolicited_report_interval = 1000
net.ipv4.conf.enp4s0/66.ignore_routes_with_linkdown = 0
net.ipv4.conf.enp4s0/66.log_martians = 0
net.ipv4.conf.enp4s0/66.mc_forwarding = 0
net.ipv4.conf.enp4s0/66.medium_id = 0
net.ipv4.conf.enp4s0/66.promote_secondaries = 1
net.ipv4.conf.enp4s0/66.proxy_arp = 0
net.ipv4.conf.enp4s0/66.proxy_arp_pvlan = 0
net.ipv4.conf.enp4s0/66.route_localnet = 0
net.ipv4.conf.enp4s0/66.rp_filter = 2
net.ipv4.conf.enp4s0/66.secure_redirects = 1
net.ipv4.conf.enp4s0/66.send_redirects = 1
net.ipv4.conf.enp4s0/66.shared_media = 1
net.ipv4.conf.enp4s0/66.src_valid_mark = 0
net.ipv4.conf.enp4s0/66.tag = 0I still think it's firewalld, and I'm missing something simple. Do you think it could be the rules disallowing traffic between my iot and home zones? Maybe the interface of home is matching, and the traffic is being blocked? I distinctly remember this setup working in Debian, but Arch uses a newer version of firewalld.
Last edited by ectospasm (2022-02-23 02:30:50)
Offline
#2 2022-02-21 15:49:20
- -thc
- Member
- Registered: 2017-03-15
- Posts: 1,086
Re: [SOLVED!] firewalld zone does not have Internet access
Since I do not use firewalld (or any other abstraction layer) for the linux netfilter subsystem, can you show us the actual nftables rule set?
sudo nft list tables inetShould output something in the line of:
table inet firewalldAnd finally:
sudo nft list table inet firewalldAnd if it's too long - please just post a link here.
Offline
#3 2022-02-21 17:06:56
- ectospasm
- Member
- Registered: 2015-08-28
- Posts: 302
Re: [SOLVED!] firewalld zone does not have Internet access
Here's the output of nft list tables inet:
table inet firewalldHere's the output of nft list table inet firewalld:
table inet firewalld {
ct helper helper-netbios-ns-udp {
type "netbios-ns" protocol udp
l3proto ip
}
chain mangle_PREROUTING {
type filter hook prerouting priority mangle + 10; policy accept;
jump mangle_PREROUTING_ZONES
}
chain mangle_PREROUTING_POLICIES_pre {
jump mangle_PRE_policy_allow-host-ipv6
iifname "enp4s0.66" jump mangle_PRE_policy_iot-policy
ip saddr 172.16.87.0/24 jump mangle_PRE_policy_iot-policy
}
chain mangle_PREROUTING_ZONES {
ip saddr 172.16.87.0/24 goto mangle_PRE_iot
iifname "enp3s0" goto mangle_PRE_public
iifname "enp4s0.66" goto mangle_PRE_iot
iifname "wg0" goto mangle_PRE_home
iifname "enp4s0" goto mangle_PRE_home
goto mangle_PRE_public
}
chain mangle_PREROUTING_POLICIES_post {
}
chain nat_PREROUTING {
type nat hook prerouting priority dstnat + 10; policy accept;
jump nat_PREROUTING_ZONES
}
chain nat_PREROUTING_POLICIES_pre {
jump nat_PRE_policy_allow-host-ipv6
iifname "enp4s0.66" jump nat_PRE_policy_iot-policy
ip saddr 172.16.87.0/24 jump nat_PRE_policy_iot-policy
}
chain nat_PREROUTING_ZONES {
ip saddr 172.16.87.0/24 goto nat_PRE_iot
iifname "enp3s0" goto nat_PRE_public
iifname "enp4s0.66" goto nat_PRE_iot
iifname "wg0" goto nat_PRE_home
iifname "enp4s0" goto nat_PRE_home
goto nat_PRE_public
}
chain nat_PREROUTING_POLICIES_post {
}
chain nat_POSTROUTING {
type nat hook postrouting priority srcnat + 10; policy accept;
jump nat_POSTROUTING_ZONES
}
chain nat_POSTROUTING_POLICIES_pre {
}
chain nat_POSTROUTING_ZONES {
ip daddr 172.16.87.0/24 goto nat_POST_iot
oifname "enp3s0" goto nat_POST_public
oifname "enp4s0.66" goto nat_POST_iot
oifname "wg0" goto nat_POST_home
oifname "enp4s0" goto nat_POST_home
goto nat_POST_public
}
chain nat_POSTROUTING_POLICIES_post {
}
chain filter_PREROUTING {
type filter hook prerouting priority filter + 10; policy accept;
icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
meta nfproto ipv6 fib saddr . mark . iif oif missing drop
}
chain filter_INPUT {
type filter hook input priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
jump filter_INPUT_ZONES
ct state invalid drop
reject with icmpx admin-prohibited
}
chain filter_FORWARD {
type filter hook forward priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
jump filter_FORWARD_ZONES
ct state invalid drop
reject with icmpx admin-prohibited
}
chain filter_OUTPUT {
type filter hook output priority filter + 10; policy accept;
ct state { established, related } accept
oifname "lo" accept
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
jump filter_OUTPUT_POLICIES_pre
jump filter_OUTPUT_POLICIES_post
}
chain filter_INPUT_POLICIES_pre {
jump filter_IN_policy_allow-host-ipv6
}
chain filter_INPUT_ZONES {
ip saddr 172.16.87.0/24 goto filter_IN_iot
iifname "enp3s0" goto filter_IN_public
iifname "enp4s0.66" goto filter_IN_iot
iifname "wg0" goto filter_IN_home
iifname "enp4s0" goto filter_IN_home
goto filter_IN_public
}
chain filter_INPUT_POLICIES_post {
}
chain filter_FORWARD_POLICIES_pre {
iifname "enp4s0.66" jump filter_FWD_policy_iot-policy
ip saddr 172.16.87.0/24 jump filter_FWD_policy_iot-policy
}
chain filter_FORWARD_ZONES {
ip saddr 172.16.87.0/24 goto filter_FWD_iot
iifname "enp3s0" goto filter_FWD_public
iifname "enp4s0.66" goto filter_FWD_iot
iifname "wg0" goto filter_FWD_home
iifname "enp4s0" goto filter_FWD_home
goto filter_FWD_public
}
chain filter_FORWARD_POLICIES_post {
}
chain filter_OUTPUT_POLICIES_pre {
}
chain filter_OUTPUT_POLICIES_post {
}
chain filter_IN_home {
jump filter_INPUT_POLICIES_pre
jump filter_IN_home_pre
jump filter_IN_home_log
jump filter_IN_home_deny
jump filter_IN_home_allow
jump filter_IN_home_post
jump filter_INPUT_POLICIES_post
accept
}
chain filter_IN_home_pre {
}
chain filter_IN_home_log {
}
chain filter_IN_home_deny {
}
chain filter_IN_home_allow {
tcp dport 22 ct state { new, untracked } accept
ip daddr 224.0.0.251 udp dport 5353 ct state { new, untracked } accept
ip6 daddr ff02::fb udp dport 5353 ct state { new, untracked } accept
udp dport 137 ct helper set "helper-netbios-ns-udp"
udp dport 137 ct state { new, untracked } accept
udp dport 138 ct state { new, untracked } accept
ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
tcp dport 53 ct state { new, untracked } accept
udp dport 53 ct state { new, untracked } accept
}
chain filter_IN_home_post {
}
chain nat_POST_home {
jump nat_POSTROUTING_POLICIES_pre
jump nat_POST_home_pre
jump nat_POST_home_log
jump nat_POST_home_deny
jump nat_POST_home_allow
jump nat_POST_home_post
jump nat_POSTROUTING_POLICIES_post
}
chain nat_POST_home_pre {
}
chain nat_POST_home_log {
}
chain nat_POST_home_deny {
}
chain nat_POST_home_allow {
meta nfproto ipv4 oifname != "lo" masquerade
}
chain nat_POST_home_post {
}
chain filter_FWD_home {
jump filter_FORWARD_POLICIES_pre
jump filter_FWD_home_pre
jump filter_FWD_home_log
jump filter_FWD_home_deny
jump filter_FWD_home_allow
jump filter_FWD_home_post
jump filter_FORWARD_POLICIES_post
accept
}
chain filter_FWD_home_pre {
}
chain filter_FWD_home_log {
}
chain filter_FWD_home_deny {
}
chain filter_FWD_home_allow {
}
chain filter_FWD_home_post {
}
chain nat_PRE_home {
jump nat_PREROUTING_POLICIES_pre
jump nat_PRE_home_pre
jump nat_PRE_home_log
jump nat_PRE_home_deny
jump nat_PRE_home_allow
jump nat_PRE_home_post
jump nat_PREROUTING_POLICIES_post
}
chain nat_PRE_home_pre {
}
chain nat_PRE_home_log {
}
chain nat_PRE_home_deny {
}
chain nat_PRE_home_allow {
}
chain nat_PRE_home_post {
}
chain mangle_PRE_home {
jump mangle_PREROUTING_POLICIES_pre
jump mangle_PRE_home_pre
jump mangle_PRE_home_log
jump mangle_PRE_home_deny
jump mangle_PRE_home_allow
jump mangle_PRE_home_post
jump mangle_PREROUTING_POLICIES_post
}
chain mangle_PRE_home_pre {
}
chain mangle_PRE_home_log {
}
chain mangle_PRE_home_deny {
}
chain mangle_PRE_home_allow {
}
chain mangle_PRE_home_post {
}
chain filter_IN_iot {
jump filter_INPUT_POLICIES_pre
jump filter_IN_iot_pre
jump filter_IN_iot_log
jump filter_IN_iot_deny
jump filter_IN_iot_allow
jump filter_IN_iot_post
jump filter_INPUT_POLICIES_post
meta l4proto { icmp, ipv6-icmp } accept
reject with icmpx admin-prohibited
}
chain filter_IN_iot_pre {
}
chain filter_IN_iot_log {
}
chain filter_IN_iot_deny {
ip daddr 10.20.30.0/24 ip saddr 172.16.87.0/24 drop
}
chain filter_IN_iot_allow {
tcp dport 53 ct state { new, untracked } accept
udp dport 53 ct state { new, untracked } accept
tcp dport 80 ct state { new, untracked } accept
tcp dport 443 ct state { new, untracked } accept
udp dport 67 ct state { new, untracked } accept
}
chain filter_IN_iot_post {
}
chain nat_POST_iot {
jump nat_POSTROUTING_POLICIES_pre
jump nat_POST_iot_pre
jump nat_POST_iot_log
jump nat_POST_iot_deny
jump nat_POST_iot_allow
jump nat_POST_iot_post
jump nat_POSTROUTING_POLICIES_post
}
chain nat_POST_iot_pre {
}
chain nat_POST_iot_log {
}
chain nat_POST_iot_deny {
}
chain nat_POST_iot_allow {
meta nfproto ipv4 oifname != "lo" masquerade
}
chain nat_POST_iot_post {
}
chain filter_FWD_iot {
jump filter_FORWARD_POLICIES_pre
jump filter_FWD_iot_pre
jump filter_FWD_iot_log
jump filter_FWD_iot_deny
jump filter_FWD_iot_allow
jump filter_FWD_iot_post
jump filter_FORWARD_POLICIES_post
reject with icmpx admin-prohibited
}
chain filter_FWD_iot_pre {
}
chain filter_FWD_iot_log {
}
chain filter_FWD_iot_deny {
}
chain filter_FWD_iot_allow {
oifname "enp4s0.66" accept
ip daddr 172.16.87.0/24 accept
}
chain filter_FWD_iot_post {
}
chain nat_PRE_iot {
jump nat_PREROUTING_POLICIES_pre
jump nat_PRE_iot_pre
jump nat_PRE_iot_log
jump nat_PRE_iot_deny
jump nat_PRE_iot_allow
jump nat_PRE_iot_post
jump nat_PREROUTING_POLICIES_post
}
chain nat_PRE_iot_pre {
}
chain nat_PRE_iot_log {
}
chain nat_PRE_iot_deny {
}
chain nat_PRE_iot_allow {
}
chain nat_PRE_iot_post {
}
chain mangle_PRE_iot {
jump mangle_PREROUTING_POLICIES_pre
jump mangle_PRE_iot_pre
jump mangle_PRE_iot_log
jump mangle_PRE_iot_deny
jump mangle_PRE_iot_allow
jump mangle_PRE_iot_post
jump mangle_PREROUTING_POLICIES_post
}
chain mangle_PRE_iot_pre {
}
chain mangle_PRE_iot_log {
}
chain mangle_PRE_iot_deny {
}
chain mangle_PRE_iot_allow {
}
chain mangle_PRE_iot_post {
}
chain filter_IN_public {
jump filter_INPUT_POLICIES_pre
jump filter_IN_public_pre
jump filter_IN_public_log
jump filter_IN_public_deny
jump filter_IN_public_allow
jump filter_IN_public_post
jump filter_INPUT_POLICIES_post
meta l4proto { icmp, ipv6-icmp } accept
reject with icmpx admin-prohibited
}
chain filter_IN_public_pre {
}
chain filter_IN_public_log {
}
chain filter_IN_public_deny {
}
chain filter_IN_public_allow {
tcp dport 61987 ct state { new, untracked } accept
udp dport 32400 ct state { new, untracked } accept
udp dport 31987 ct state { new, untracked } accept
}
chain filter_IN_public_post {
}
chain nat_POST_public {
jump nat_POSTROUTING_POLICIES_pre
jump nat_POST_public_pre
jump nat_POST_public_log
jump nat_POST_public_deny
jump nat_POST_public_allow
jump nat_POST_public_post
jump nat_POSTROUTING_POLICIES_post
}
chain nat_POST_public_pre {
}
chain nat_POST_public_log {
}
chain nat_POST_public_deny {
}
chain nat_POST_public_allow {
meta nfproto ipv4 oifname != "lo" masquerade
}
chain nat_POST_public_post {
}
chain filter_FWD_public {
jump filter_FORWARD_POLICIES_pre
jump filter_FWD_public_pre
jump filter_FWD_public_log
jump filter_FWD_public_deny
jump filter_FWD_public_allow
jump filter_FWD_public_post
jump filter_FORWARD_POLICIES_post
reject with icmpx admin-prohibited
}
chain filter_FWD_public_pre {
}
chain filter_FWD_public_log {
}
chain filter_FWD_public_deny {
}
chain filter_FWD_public_allow {
}
chain filter_FWD_public_post {
}
chain nat_PRE_public {
jump nat_PREROUTING_POLICIES_pre
jump nat_PRE_public_pre
jump nat_PRE_public_log
jump nat_PRE_public_deny
jump nat_PRE_public_allow
jump nat_PRE_public_post
jump nat_PREROUTING_POLICIES_post
}
chain nat_PRE_public_pre {
}
chain nat_PRE_public_log {
}
chain nat_PRE_public_deny {
}
chain nat_PRE_public_allow {
meta nfproto ipv4 tcp dport 61987 dnat ip to 10.20.30.87:22
meta nfproto ipv4 tcp dport 32400 dnat ip to 10.20.30.87:32400
}
chain nat_PRE_public_post {
}
chain mangle_PRE_public {
jump mangle_PREROUTING_POLICIES_pre
jump mangle_PRE_public_pre
jump mangle_PRE_public_log
jump mangle_PRE_public_deny
jump mangle_PRE_public_allow
jump mangle_PRE_public_post
jump mangle_PREROUTING_POLICIES_post
}
chain mangle_PRE_public_pre {
}
chain mangle_PRE_public_log {
}
chain mangle_PRE_public_deny {
}
chain mangle_PRE_public_allow {
}
chain mangle_PRE_public_post {
}
chain filter_IN_policy_allow-host-ipv6 {
jump filter_IN_policy_allow-host-ipv6_pre
jump filter_IN_policy_allow-host-ipv6_log
jump filter_IN_policy_allow-host-ipv6_deny
jump filter_IN_policy_allow-host-ipv6_allow
jump filter_IN_policy_allow-host-ipv6_post
}
chain filter_IN_policy_allow-host-ipv6_pre {
}
chain filter_IN_policy_allow-host-ipv6_log {
}
chain filter_IN_policy_allow-host-ipv6_deny {
}
chain filter_IN_policy_allow-host-ipv6_allow {
icmpv6 type nd-neighbor-advert accept
icmpv6 type nd-neighbor-solicit accept
icmpv6 type nd-router-advert accept
icmpv6 type nd-redirect accept
}
chain filter_IN_policy_allow-host-ipv6_post {
}
chain nat_PRE_policy_allow-host-ipv6 {
jump nat_PRE_policy_allow-host-ipv6_pre
jump nat_PRE_policy_allow-host-ipv6_log
jump nat_PRE_policy_allow-host-ipv6_deny
jump nat_PRE_policy_allow-host-ipv6_allow
jump nat_PRE_policy_allow-host-ipv6_post
}
chain nat_PRE_policy_allow-host-ipv6_pre {
}
chain nat_PRE_policy_allow-host-ipv6_log {
}
chain nat_PRE_policy_allow-host-ipv6_deny {
}
chain nat_PRE_policy_allow-host-ipv6_allow {
}
chain nat_PRE_policy_allow-host-ipv6_post {
}
chain mangle_PRE_policy_allow-host-ipv6 {
jump mangle_PRE_policy_allow-host-ipv6_pre
jump mangle_PRE_policy_allow-host-ipv6_log
jump mangle_PRE_policy_allow-host-ipv6_deny
jump mangle_PRE_policy_allow-host-ipv6_allow
jump mangle_PRE_policy_allow-host-ipv6_post
}
chain mangle_PRE_policy_allow-host-ipv6_pre {
}
chain mangle_PRE_policy_allow-host-ipv6_log {
}
chain mangle_PRE_policy_allow-host-ipv6_deny {
}
chain mangle_PRE_policy_allow-host-ipv6_allow {
}
chain mangle_PRE_policy_allow-host-ipv6_post {
}
chain filter_FWD_policy_iot-policy {
jump filter_FWD_policy_iot-policy_pre
jump filter_FWD_policy_iot-policy_log
jump filter_FWD_policy_iot-policy_deny
jump filter_FWD_policy_iot-policy_allow
jump filter_FWD_policy_iot-policy_post
}
chain filter_FWD_policy_iot-policy_pre {
}
chain filter_FWD_policy_iot-policy_log {
}
chain filter_FWD_policy_iot-policy_deny {
}
chain filter_FWD_policy_iot-policy_allow {
}
chain filter_FWD_policy_iot-policy_post {
}
chain nat_PRE_policy_iot-policy {
jump nat_PRE_policy_iot-policy_pre
jump nat_PRE_policy_iot-policy_log
jump nat_PRE_policy_iot-policy_deny
jump nat_PRE_policy_iot-policy_allow
jump nat_PRE_policy_iot-policy_post
}
chain nat_PRE_policy_iot-policy_pre {
}
chain nat_PRE_policy_iot-policy_log {
}
chain nat_PRE_policy_iot-policy_deny {
}
chain nat_PRE_policy_iot-policy_allow {
}
chain nat_PRE_policy_iot-policy_post {
}
chain mangle_PRE_policy_iot-policy {
jump mangle_PRE_policy_iot-policy_pre
jump mangle_PRE_policy_iot-policy_log
jump mangle_PRE_policy_iot-policy_deny
jump mangle_PRE_policy_iot-policy_allow
jump mangle_PRE_policy_iot-policy_post
}
chain mangle_PRE_policy_iot-policy_pre {
}
chain mangle_PRE_policy_iot-policy_log {
}
chain mangle_PRE_policy_iot-policy_deny {
}
chain mangle_PRE_policy_iot-policy_allow {
}
chain mangle_PRE_policy_iot-policy_post {
}
}iptables --list appears to be empty:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destinationSo it looks like firewalld is abstracting nft only..
Offline
#4 2022-02-21 17:20:30
- ectospasm
- Member
- Registered: 2015-08-28
- Posts: 302
Re: [SOLVED!] firewalld zone does not have Internet access
I think I fixed it. I set the target of the iot zone to ACCEPT. I saw the following line in the chain filter_IN_iot:
reject with icmpx admin-prohibitedSetting the target to ACCEPT fixed it. Is there a better way to do this? I don't want devices in the iot zone to have much access to my router (except for dhcp and dns).
Offline
#5 2022-02-21 18:50:11
- -thc
- Member
- Registered: 2017-03-15
- Posts: 1,086
Re: [SOLVED!] firewalld zone does not have Internet access
Please be aware that you have blown implicit FORWARD restrictions of firewalld open.
The better way would be inserting log rules to analyze where the packet matching fails. While there seems to be no obvious error I suspect something along this line: The kernel removes the VLAN tag and thus changes the originating interface name.
Last edited by -thc (2022-02-21 19:42:26)
Offline
#6 2022-02-21 22:31:53
- ectospasm
- Member
- Registered: 2015-08-28
- Posts: 302
Re: [SOLVED!] firewalld zone does not have Internet access
-thc wrote:
Please be aware that you have blown implicit FORWARD restrictions of firewalld open.
I don't see how that's the case, it's only open for the home and iot zones. Are there implicit rules that don't show up in the output of nft? Here's my current inet firewalld table, with the target for the iot zone set to ACCEPT (nft list table inet firewalld):
table inet firewalld {
ct helper helper-netbios-ns-udp {
type "netbios-ns" protocol udp
l3proto ip
}
chain mangle_PREROUTING {
type filter hook prerouting priority mangle + 10; policy accept;
jump mangle_PREROUTING_ZONES
}
chain mangle_PREROUTING_POLICIES_pre {
jump mangle_PRE_policy_allow-host-ipv6
iifname "enp4s0.66" jump mangle_PRE_policy_iot-policy
ip saddr 172.16.87.0/24 jump mangle_PRE_policy_iot-policy
}
chain mangle_PREROUTING_ZONES {
ip saddr 172.16.87.0/24 goto mangle_PRE_iot
iifname "enp3s0" goto mangle_PRE_public
iifname "enp4s0.66" goto mangle_PRE_iot
iifname "wg0" goto mangle_PRE_home
iifname "enp4s0" goto mangle_PRE_home
goto mangle_PRE_public
}
chain mangle_PREROUTING_POLICIES_post {
}
chain nat_PREROUTING {
type nat hook prerouting priority dstnat + 10; policy accept;
jump nat_PREROUTING_ZONES
}
chain nat_PREROUTING_POLICIES_pre {
jump nat_PRE_policy_allow-host-ipv6
iifname "enp4s0.66" jump nat_PRE_policy_iot-policy
ip saddr 172.16.87.0/24 jump nat_PRE_policy_iot-policy
}
chain nat_PREROUTING_ZONES {
ip saddr 172.16.87.0/24 goto nat_PRE_iot
iifname "enp3s0" goto nat_PRE_public
iifname "enp4s0.66" goto nat_PRE_iot
iifname "wg0" goto nat_PRE_home
iifname "enp4s0" goto nat_PRE_home
goto nat_PRE_public
}
chain nat_PREROUTING_POLICIES_post {
}
chain nat_POSTROUTING {
type nat hook postrouting priority srcnat + 10; policy accept;
jump nat_POSTROUTING_ZONES
}
chain nat_POSTROUTING_POLICIES_pre {
}
chain nat_POSTROUTING_ZONES {
ip daddr 172.16.87.0/24 goto nat_POST_iot
oifname "enp3s0" goto nat_POST_public
oifname "enp4s0.66" goto nat_POST_iot
oifname "wg0" goto nat_POST_home
oifname "enp4s0" goto nat_POST_home
goto nat_POST_public
}
chain nat_POSTROUTING_POLICIES_post {
}
chain filter_PREROUTING {
type filter hook prerouting priority filter + 10; policy accept;
icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
meta nfproto ipv6 fib saddr . mark . iif oif missing drop
}
chain filter_INPUT {
type filter hook input priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
jump filter_INPUT_ZONES
ct state invalid drop
reject with icmpx admin-prohibited
}
chain filter_FORWARD {
type filter hook forward priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
jump filter_FORWARD_ZONES
ct state invalid drop
reject with icmpx admin-prohibited
}
chain filter_OUTPUT {
type filter hook output priority filter + 10; policy accept;
ct state { established, related } accept
oifname "lo" accept
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
jump filter_OUTPUT_POLICIES_pre
jump filter_OUTPUT_POLICIES_post
}
chain filter_INPUT_POLICIES_pre {
jump filter_IN_policy_allow-host-ipv6
}
chain filter_INPUT_ZONES {
ip saddr 172.16.87.0/24 goto filter_IN_iot
iifname "enp3s0" goto filter_IN_public
iifname "enp4s0.66" goto filter_IN_iot
iifname "wg0" goto filter_IN_home
iifname "enp4s0" goto filter_IN_home
goto filter_IN_public
}
chain filter_INPUT_POLICIES_post {
}
chain filter_FORWARD_POLICIES_pre {
iifname "enp4s0.66" jump filter_FWD_policy_iot-policy
ip saddr 172.16.87.0/24 jump filter_FWD_policy_iot-policy
}
chain filter_FORWARD_ZONES {
ip saddr 172.16.87.0/24 goto filter_FWD_iot
iifname "enp3s0" goto filter_FWD_public
iifname "enp4s0.66" goto filter_FWD_iot
iifname "wg0" goto filter_FWD_home
iifname "enp4s0" goto filter_FWD_home
goto filter_FWD_public
}
chain filter_FORWARD_POLICIES_post {
}
chain filter_OUTPUT_POLICIES_pre {
}
chain filter_OUTPUT_POLICIES_post {
}
chain filter_IN_home {
jump filter_INPUT_POLICIES_pre
jump filter_IN_home_pre
jump filter_IN_home_log
jump filter_IN_home_deny
jump filter_IN_home_allow
jump filter_IN_home_post
jump filter_INPUT_POLICIES_post
accept
}
chain filter_IN_home_pre {
}
chain filter_IN_home_log {
}
chain filter_IN_home_deny {
}
chain filter_IN_home_allow {
tcp dport 22 ct state { new, untracked } accept
ip daddr 224.0.0.251 udp dport 5353 ct state { new, untracked } accept
ip6 daddr ff02::fb udp dport 5353 ct state { new, untracked } accept
udp dport 137 ct helper set "helper-netbios-ns-udp"
udp dport 137 ct state { new, untracked } accept
udp dport 138 ct state { new, untracked } accept
ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
tcp dport 53 ct state { new, untracked } accept
udp dport 53 ct state { new, untracked } accept
}
chain filter_IN_home_post {
}
chain nat_POST_home {
jump nat_POSTROUTING_POLICIES_pre
jump nat_POST_home_pre
jump nat_POST_home_log
jump nat_POST_home_deny
jump nat_POST_home_allow
jump nat_POST_home_post
jump nat_POSTROUTING_POLICIES_post
}
chain nat_POST_home_pre {
}
chain nat_POST_home_log {
}
chain nat_POST_home_deny {
}
chain nat_POST_home_allow {
meta nfproto ipv4 oifname != "lo" masquerade
}
chain nat_POST_home_post {
}
chain filter_FWD_home {
jump filter_FORWARD_POLICIES_pre
jump filter_FWD_home_pre
jump filter_FWD_home_log
jump filter_FWD_home_deny
jump filter_FWD_home_allow
jump filter_FWD_home_post
jump filter_FORWARD_POLICIES_post
accept
}
chain filter_FWD_home_pre {
}
chain filter_FWD_home_log {
}
chain filter_FWD_home_deny {
}
chain filter_FWD_home_allow {
}
chain filter_FWD_home_post {
}
chain nat_PRE_home {
jump nat_PREROUTING_POLICIES_pre
jump nat_PRE_home_pre
jump nat_PRE_home_log
jump nat_PRE_home_deny
jump nat_PRE_home_allow
jump nat_PRE_home_post
jump nat_PREROUTING_POLICIES_post
}
chain nat_PRE_home_pre {
}
chain nat_PRE_home_log {
}
chain nat_PRE_home_deny {
}
chain nat_PRE_home_allow {
}
chain nat_PRE_home_post {
}
chain mangle_PRE_home {
jump mangle_PREROUTING_POLICIES_pre
jump mangle_PRE_home_pre
jump mangle_PRE_home_log
jump mangle_PRE_home_deny
jump mangle_PRE_home_allow
jump mangle_PRE_home_post
jump mangle_PREROUTING_POLICIES_post
}
chain mangle_PRE_home_pre {
}
chain mangle_PRE_home_log {
}
chain mangle_PRE_home_deny {
}
chain mangle_PRE_home_allow {
}
chain mangle_PRE_home_post {
}
chain filter_IN_iot {
jump filter_INPUT_POLICIES_pre
jump filter_IN_iot_pre
jump filter_IN_iot_log
jump filter_IN_iot_deny
jump filter_IN_iot_allow
jump filter_IN_iot_post
jump filter_INPUT_POLICIES_post
accept
}
chain filter_IN_iot_pre {
}
chain filter_IN_iot_log {
}
chain filter_IN_iot_deny {
ip daddr 10.20.30.0/24 ip saddr 172.16.87.0/24 drop
}
chain filter_IN_iot_allow {
tcp dport 53 ct state { new, untracked } accept
udp dport 53 ct state { new, untracked } accept
udp dport 67 ct state { new, untracked } accept
}
chain filter_IN_iot_post {
}
chain nat_POST_iot {
jump nat_POSTROUTING_POLICIES_pre
jump nat_POST_iot_pre
jump nat_POST_iot_log
jump nat_POST_iot_deny
jump nat_POST_iot_allow
jump nat_POST_iot_post
jump nat_POSTROUTING_POLICIES_post
}
chain nat_POST_iot_pre {
}
chain nat_POST_iot_log {
}
chain nat_POST_iot_deny {
}
chain nat_POST_iot_allow {
meta nfproto ipv4 oifname != "lo" masquerade
}
chain nat_POST_iot_post {
}
chain filter_FWD_iot {
jump filter_FORWARD_POLICIES_pre
jump filter_FWD_iot_pre
jump filter_FWD_iot_log
jump filter_FWD_iot_deny
jump filter_FWD_iot_allow
jump filter_FWD_iot_post
jump filter_FORWARD_POLICIES_post
accept
}
chain filter_FWD_iot_pre {
}
chain filter_FWD_iot_log {
}
chain filter_FWD_iot_deny {
}
chain filter_FWD_iot_allow {
}
chain filter_FWD_iot_post {
}
chain nat_PRE_iot {
jump nat_PREROUTING_POLICIES_pre
jump nat_PRE_iot_pre
jump nat_PRE_iot_log
jump nat_PRE_iot_deny
jump nat_PRE_iot_allow
jump nat_PRE_iot_post
jump nat_PREROUTING_POLICIES_post
}
chain nat_PRE_iot_pre {
}
chain nat_PRE_iot_log {
}
chain nat_PRE_iot_deny {
}
chain nat_PRE_iot_allow {
}
chain nat_PRE_iot_post {
}
chain mangle_PRE_iot {
jump mangle_PREROUTING_POLICIES_pre
jump mangle_PRE_iot_pre
jump mangle_PRE_iot_log
jump mangle_PRE_iot_deny
jump mangle_PRE_iot_allow
jump mangle_PRE_iot_post
jump mangle_PREROUTING_POLICIES_post
}
chain mangle_PRE_iot_pre {
}
chain mangle_PRE_iot_log {
}
chain mangle_PRE_iot_deny {
}
chain mangle_PRE_iot_allow {
}
chain mangle_PRE_iot_post {
}
chain filter_IN_public {
jump filter_INPUT_POLICIES_pre
jump filter_IN_public_pre
jump filter_IN_public_log
jump filter_IN_public_deny
jump filter_IN_public_allow
jump filter_IN_public_post
jump filter_INPUT_POLICIES_post
meta l4proto { icmp, ipv6-icmp } accept
reject with icmpx admin-prohibited
}
chain filter_IN_public_pre {
}
chain filter_IN_public_log {
}
chain filter_IN_public_deny {
}
chain filter_IN_public_allow {
tcp dport 61987 ct state { new, untracked } accept
udp dport 32400 ct state { new, untracked } accept
udp dport 31987 ct state { new, untracked } accept
}
chain filter_IN_public_post {
}
chain nat_POST_public {
jump nat_POSTROUTING_POLICIES_pre
jump nat_POST_public_pre
jump nat_POST_public_log
jump nat_POST_public_deny
jump nat_POST_public_allow
jump nat_POST_public_post
jump nat_POSTROUTING_POLICIES_post
}
chain nat_POST_public_pre {
}
chain nat_POST_public_log {
}
chain nat_POST_public_deny {
}
chain nat_POST_public_allow {
meta nfproto ipv4 oifname != "lo" masquerade
}
chain nat_POST_public_post {
}
chain filter_FWD_public {
jump filter_FORWARD_POLICIES_pre
jump filter_FWD_public_pre
jump filter_FWD_public_log
jump filter_FWD_public_deny
jump filter_FWD_public_allow
jump filter_FWD_public_post
jump filter_FORWARD_POLICIES_post
reject with icmpx admin-prohibited
}
chain filter_FWD_public_pre {
}
chain filter_FWD_public_log {
}
chain filter_FWD_public_deny {
}
chain filter_FWD_public_allow {
}
chain filter_FWD_public_post {
}
chain nat_PRE_public {
jump nat_PREROUTING_POLICIES_pre
jump nat_PRE_public_pre
jump nat_PRE_public_log
jump nat_PRE_public_deny
jump nat_PRE_public_allow
jump nat_PRE_public_post
jump nat_PREROUTING_POLICIES_post
}
chain nat_PRE_public_pre {
}
chain nat_PRE_public_log {
}
chain nat_PRE_public_deny {
}
chain nat_PRE_public_allow {
meta nfproto ipv4 tcp dport 61987 dnat ip to 10.20.30.87:22
meta nfproto ipv4 tcp dport 32400 dnat ip to 10.20.30.87:32400
}
chain nat_PRE_public_post {
}
chain mangle_PRE_public {
jump mangle_PREROUTING_POLICIES_pre
jump mangle_PRE_public_pre
jump mangle_PRE_public_log
jump mangle_PRE_public_deny
jump mangle_PRE_public_allow
jump mangle_PRE_public_post
jump mangle_PREROUTING_POLICIES_post
}
chain mangle_PRE_public_pre {
}
chain mangle_PRE_public_log {
}
chain mangle_PRE_public_deny {
}
chain mangle_PRE_public_allow {
}
chain mangle_PRE_public_post {
}
chain filter_IN_policy_allow-host-ipv6 {
jump filter_IN_policy_allow-host-ipv6_pre
jump filter_IN_policy_allow-host-ipv6_log
jump filter_IN_policy_allow-host-ipv6_deny
jump filter_IN_policy_allow-host-ipv6_allow
jump filter_IN_policy_allow-host-ipv6_post
}
chain filter_IN_policy_allow-host-ipv6_pre {
}
chain filter_IN_policy_allow-host-ipv6_log {
}
chain filter_IN_policy_allow-host-ipv6_deny {
}
chain filter_IN_policy_allow-host-ipv6_allow {
icmpv6 type nd-neighbor-advert accept
icmpv6 type nd-neighbor-solicit accept
icmpv6 type nd-router-advert accept
icmpv6 type nd-redirect accept
}
chain filter_IN_policy_allow-host-ipv6_post {
}
chain nat_PRE_policy_allow-host-ipv6 {
jump nat_PRE_policy_allow-host-ipv6_pre
jump nat_PRE_policy_allow-host-ipv6_log
jump nat_PRE_policy_allow-host-ipv6_deny
jump nat_PRE_policy_allow-host-ipv6_allow
jump nat_PRE_policy_allow-host-ipv6_post
}
chain nat_PRE_policy_allow-host-ipv6_pre {
}
chain nat_PRE_policy_allow-host-ipv6_log {
}
chain nat_PRE_policy_allow-host-ipv6_deny {
}
chain nat_PRE_policy_allow-host-ipv6_allow {
}
chain nat_PRE_policy_allow-host-ipv6_post {
}
chain mangle_PRE_policy_allow-host-ipv6 {
jump mangle_PRE_policy_allow-host-ipv6_pre
jump mangle_PRE_policy_allow-host-ipv6_log
jump mangle_PRE_policy_allow-host-ipv6_deny
jump mangle_PRE_policy_allow-host-ipv6_allow
jump mangle_PRE_policy_allow-host-ipv6_post
}
chain mangle_PRE_policy_allow-host-ipv6_pre {
}
chain mangle_PRE_policy_allow-host-ipv6_log {
}
chain mangle_PRE_policy_allow-host-ipv6_deny {
}
chain mangle_PRE_policy_allow-host-ipv6_allow {
}
chain mangle_PRE_policy_allow-host-ipv6_post {
}
chain filter_FWD_policy_iot-policy {
jump filter_FWD_policy_iot-policy_pre
jump filter_FWD_policy_iot-policy_log
jump filter_FWD_policy_iot-policy_deny
jump filter_FWD_policy_iot-policy_allow
jump filter_FWD_policy_iot-policy_post
}
chain filter_FWD_policy_iot-policy_pre {
}
chain filter_FWD_policy_iot-policy_log {
}
chain filter_FWD_policy_iot-policy_deny {
}
chain filter_FWD_policy_iot-policy_allow {
}
chain filter_FWD_policy_iot-policy_post {
}
chain nat_PRE_policy_iot-policy {
jump nat_PRE_policy_iot-policy_pre
jump nat_PRE_policy_iot-policy_log
jump nat_PRE_policy_iot-policy_deny
jump nat_PRE_policy_iot-policy_allow
jump nat_PRE_policy_iot-policy_post
}
chain nat_PRE_policy_iot-policy_pre {
}
chain nat_PRE_policy_iot-policy_log {
}
chain nat_PRE_policy_iot-policy_deny {
}
chain nat_PRE_policy_iot-policy_allow {
}
chain nat_PRE_policy_iot-policy_post {
}
chain mangle_PRE_policy_iot-policy {
jump mangle_PRE_policy_iot-policy_pre
jump mangle_PRE_policy_iot-policy_log
jump mangle_PRE_policy_iot-policy_deny
jump mangle_PRE_policy_iot-policy_allow
jump mangle_PRE_policy_iot-policy_post
}
chain mangle_PRE_policy_iot-policy_pre {
}
chain mangle_PRE_policy_iot-policy_log {
}
chain mangle_PRE_policy_iot-policy_deny {
}
chain mangle_PRE_policy_iot-policy_allow {
}
chain mangle_PRE_policy_iot-policy_post {
}
}If I'm reading that right, the iot zone is set up just as the home zone is. I am not very familiar with nft, and only marginally familiar with its predecessor, iptables. If I'm still set up to allow everything in the FORWARD/FWD chains, especially for the public zone, please enlighten me. Does nft have implicit rules that would not show up there?
Offline
#7 2022-02-22 07:05:37
- -thc
- Member
- Registered: 2017-03-15
- Posts: 1,086
Re: [SOLVED!] firewalld zone does not have Internet access
The firewalld logic is build on a tree-like system of chains which are mostly empty. In particular everything that is not explicitly accepted or explicitly denied is prohibited - that logic is broken by your modifications. This is what I tried to express earlier. "Implicit restrictions" were a bad choice of words - implicit rules do not exist.
You have modified the nftables rule set as follows:
chain filter_IN_iot: Remove the line allowing icmp, Remove the line "reject with...". Add "accept".You now allow anything coming in from iot that is not explicitly denied.
chain filter_IN_iot_allow: Remove two lines for port 80 and 443.Why? You have already allowed everything - removing only those two makes no sense.
chain filter_FWD_iot: Remove the line "reject with...". Add "accept".You now allow anything forwarding from iot to all other zones that is not explicitly denied.
chain filter_FWD_iot_allow: Remove both lines.That makes sense, because you allow anything anyway.
Your public zone is not affected.
Offline
#8 2022-02-22 11:56:12
- ectospasm
- Member
- Registered: 2015-08-28
- Posts: 302
Re: [SOLVED!] firewalld zone does not have Internet access
-thc wrote:
The firewalld logic is build on a tree-like system of chains which are mostly empty. In particular everything that is not explicitly accepted or explicitly denied is prohibited - that logic is broken by your modifications. This is what I tried to express earlier. "Implicit restrictions" were a bad choice of words - implicit rules do not exist.
You have modified the nftables rule set as follows:
chain filter_IN_iot: Remove the line allowing icmp, Remove the line "reject with...". Add "accept".You now allow anything coming in from iot that is not explicitly denied.
chain filter_IN_iot_allow: Remove two lines for port 80 and 443.Why? You have already allowed everything - removing only those two makes no sense.
chain filter_FWD_iot: Remove the line "reject with...". Add "accept".You now allow anything forwarding from iot to all other zones that is not explicitly denied.
chain filter_FWD_iot_allow: Remove both lines.That makes sense, because you allow anything anyway.
Your public zone is not affected.
So how would you suggest I make these changes? I want anything to be allowed to go from my iot zone through my WAN interface (enp3s0 in the public zone). Everything appeared to be rejected until I added the ACCEPT target. Granted, that allows anything to reach my router, and that's OK because it doesn't have many services listening on its enp4s0.66 interface (just dhcp and dns).
Offline
#9 2022-02-22 12:32:39
- -thc
- Member
- Registered: 2017-03-15
- Posts: 1,086
Re: [SOLVED!] firewalld zone does not have Internet access
I think I found something:
chain filter_FWD_iot_allow {
oifname "enp4s0.66" accept
ip daddr 172.16.87.0/24 accept
}These rules only allow forwarding into the iot zone (out interface enp4s0.66 and destination 172.16.87.0/24) and not in the desired direction. The filter_FWD_home chain has no filter_FWD_home_allow rules but a policy of "accept" and thus works as desired.
So somehow the firewalld zone definition of iot is not what you intended.
Offline
#10 2022-02-22 13:11:02
- ectospasm
- Member
- Registered: 2015-08-28
- Posts: 302
Re: [SOLVED!] firewalld zone does not have Internet access
-thc wrote:
I think I found something:
chain filter_FWD_iot_allow { oifname "enp4s0.66" accept ip daddr 172.16.87.0/24 accept }These rules only allow forwarding into the iot zone (out interface enp4s0.66 and destination 172.16.87.0/24) and not in the desired direction. The filter_FWD_home chain has no filter_FWD_home_allow rules but a policy of "accept" and thus works as desired.
I think that's because I have both the interface and the source network defined. I don't intend to filter anything into the iot zone from any other zone (except public), and I want it to be able to reach the Internet. I have set a policy to drop conneciton attempts from iot to home, and that appears to work as expected. Here is my current nft inet firewalld table after removing the direct rule and adjusting the iot-policy to drop connections from iot to home:
table inet firewalld {
ct helper helper-netbios-ns-udp {
type "netbios-ns" protocol udp
l3proto ip
}
chain mangle_PREROUTING {
type filter hook prerouting priority mangle + 10; policy accept;
jump mangle_PREROUTING_ZONES
}
chain mangle_PREROUTING_POLICIES_pre {
jump mangle_PRE_policy_allow-host-ipv6
}
chain mangle_PREROUTING_ZONES {
ip saddr 172.16.87.0/24 goto mangle_PRE_iot
iifname "enp3s0" goto mangle_PRE_public
iifname "enp4s0.66" goto mangle_PRE_iot
iifname "wg0" goto mangle_PRE_home
iifname "enp4s0" goto mangle_PRE_home
goto mangle_PRE_public
}
chain mangle_PREROUTING_POLICIES_post {
}
chain nat_PREROUTING {
type nat hook prerouting priority dstnat + 10; policy accept;
jump nat_PREROUTING_ZONES
}
chain nat_PREROUTING_POLICIES_pre {
jump nat_PRE_policy_allow-host-ipv6
}
chain nat_PREROUTING_ZONES {
ip saddr 172.16.87.0/24 goto nat_PRE_iot
iifname "enp3s0" goto nat_PRE_public
iifname "enp4s0.66" goto nat_PRE_iot
iifname "wg0" goto nat_PRE_home
iifname "enp4s0" goto nat_PRE_home
goto nat_PRE_public
}
chain nat_PREROUTING_POLICIES_post {
}
chain nat_POSTROUTING {
type nat hook postrouting priority srcnat + 10; policy accept;
jump nat_POSTROUTING_ZONES
}
chain nat_POSTROUTING_POLICIES_pre {
}
chain nat_POSTROUTING_ZONES {
ip daddr 172.16.87.0/24 goto nat_POST_iot
oifname "enp3s0" goto nat_POST_public
oifname "enp4s0.66" goto nat_POST_iot
oifname "wg0" goto nat_POST_home
oifname "enp4s0" goto nat_POST_home
goto nat_POST_public
}
chain nat_POSTROUTING_POLICIES_post {
}
chain filter_PREROUTING {
type filter hook prerouting priority filter + 10; policy accept;
icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
meta nfproto ipv6 fib saddr . mark . iif oif missing drop
}
chain filter_INPUT {
type filter hook input priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
jump filter_INPUT_ZONES
ct state invalid drop
reject with icmpx admin-prohibited
}
chain filter_FORWARD {
type filter hook forward priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
jump filter_FORWARD_ZONES
ct state invalid drop
reject with icmpx admin-prohibited
}
chain filter_OUTPUT {
type filter hook output priority filter + 10; policy accept;
ct state { established, related } accept
oifname "lo" accept
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
jump filter_OUTPUT_POLICIES_pre
jump filter_OUTPUT_POLICIES_post
}
chain filter_INPUT_POLICIES_pre {
jump filter_IN_policy_allow-host-ipv6
}
chain filter_INPUT_ZONES {
ip saddr 172.16.87.0/24 goto filter_IN_iot
iifname "enp3s0" goto filter_IN_public
iifname "enp4s0.66" goto filter_IN_iot
iifname "wg0" goto filter_IN_home
iifname "enp4s0" goto filter_IN_home
goto filter_IN_public
}
chain filter_INPUT_POLICIES_post {
}
chain filter_FORWARD_POLICIES_pre {
iifname "enp4s0.66" oifname { "wg0", "enp4s0" } jump filter_FWD_policy_iot-policy
ip saddr 172.16.87.0/24 oifname { "wg0", "enp4s0" } jump filter_FWD_policy_iot-policy
}
chain filter_FORWARD_ZONES {
ip saddr 172.16.87.0/24 goto filter_FWD_iot
iifname "enp3s0" goto filter_FWD_public
iifname "enp4s0.66" goto filter_FWD_iot
iifname "wg0" goto filter_FWD_home
iifname "enp4s0" goto filter_FWD_home
goto filter_FWD_public
}
chain filter_FORWARD_POLICIES_post {
}
chain filter_OUTPUT_POLICIES_pre {
}
chain filter_OUTPUT_POLICIES_post {
}
chain filter_IN_home {
jump filter_INPUT_POLICIES_pre
jump filter_IN_home_pre
jump filter_IN_home_log
jump filter_IN_home_deny
jump filter_IN_home_allow
jump filter_IN_home_post
jump filter_INPUT_POLICIES_post
accept
}
chain filter_IN_home_pre {
}
chain filter_IN_home_log {
}
chain filter_IN_home_deny {
}
chain filter_IN_home_allow {
tcp dport 22 ct state { new, untracked } accept
ip daddr 224.0.0.251 udp dport 5353 ct state { new, untracked } accept
ip6 daddr ff02::fb udp dport 5353 ct state { new, untracked } accept
udp dport 137 ct helper set "helper-netbios-ns-udp"
udp dport 137 ct state { new, untracked } accept
udp dport 138 ct state { new, untracked } accept
ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
tcp dport 53 ct state { new, untracked } accept
udp dport 53 ct state { new, untracked } accept
}
chain filter_IN_home_post {
}
chain nat_POST_home {
jump nat_POSTROUTING_POLICIES_pre
jump nat_POST_home_pre
jump nat_POST_home_log
jump nat_POST_home_deny
jump nat_POST_home_allow
jump nat_POST_home_post
jump nat_POSTROUTING_POLICIES_post
}
chain nat_POST_home_pre {
}
chain nat_POST_home_log {
}
chain nat_POST_home_deny {
}
chain nat_POST_home_allow {
meta nfproto ipv4 oifname != "lo" masquerade
}
chain nat_POST_home_post {
}
chain filter_FWD_home {
jump filter_FORWARD_POLICIES_pre
jump filter_FWD_home_pre
jump filter_FWD_home_log
jump filter_FWD_home_deny
jump filter_FWD_home_allow
jump filter_FWD_home_post
jump filter_FORWARD_POLICIES_post
accept
}
chain filter_FWD_home_pre {
}
chain filter_FWD_home_log {
}
chain filter_FWD_home_deny {
}
chain filter_FWD_home_allow {
}
chain filter_FWD_home_post {
}
chain nat_PRE_home {
jump nat_PREROUTING_POLICIES_pre
jump nat_PRE_home_pre
jump nat_PRE_home_log
jump nat_PRE_home_deny
jump nat_PRE_home_allow
jump nat_PRE_home_post
jump nat_PREROUTING_POLICIES_post
}
chain nat_PRE_home_pre {
}
chain nat_PRE_home_log {
}
chain nat_PRE_home_deny {
}
chain nat_PRE_home_allow {
}
chain nat_PRE_home_post {
}
chain mangle_PRE_home {
jump mangle_PREROUTING_POLICIES_pre
jump mangle_PRE_home_pre
jump mangle_PRE_home_log
jump mangle_PRE_home_deny
jump mangle_PRE_home_allow
jump mangle_PRE_home_post
jump mangle_PREROUTING_POLICIES_post
}
chain mangle_PRE_home_pre {
}
chain mangle_PRE_home_log {
}
chain mangle_PRE_home_deny {
}
chain mangle_PRE_home_allow {
}
chain mangle_PRE_home_post {
}
chain filter_IN_iot {
jump filter_INPUT_POLICIES_pre
jump filter_IN_iot_pre
jump filter_IN_iot_log
jump filter_IN_iot_deny
jump filter_IN_iot_allow
jump filter_IN_iot_post
jump filter_INPUT_POLICIES_post
accept
}
chain filter_IN_iot_pre {
}
chain filter_IN_iot_log {
}
chain filter_IN_iot_deny {
ip daddr 10.20.30.0/24 ip saddr 172.16.87.0/24 drop
}
chain filter_IN_iot_allow {
tcp dport 53 ct state { new, untracked } accept
udp dport 53 ct state { new, untracked } accept
udp dport 67 ct state { new, untracked } accept
}
chain filter_IN_iot_post {
}
chain nat_POST_iot {
jump nat_POSTROUTING_POLICIES_pre
jump nat_POST_iot_pre
jump nat_POST_iot_log
jump nat_POST_iot_deny
jump nat_POST_iot_allow
jump nat_POST_iot_post
jump nat_POSTROUTING_POLICIES_post
}
chain nat_POST_iot_pre {
}
chain nat_POST_iot_log {
}
chain nat_POST_iot_deny {
}
chain nat_POST_iot_allow {
meta nfproto ipv4 oifname != "lo" masquerade
}
chain nat_POST_iot_post {
}
chain filter_FWD_iot {
jump filter_FORWARD_POLICIES_pre
jump filter_FWD_iot_pre
jump filter_FWD_iot_log
jump filter_FWD_iot_deny
jump filter_FWD_iot_allow
jump filter_FWD_iot_post
jump filter_FORWARD_POLICIES_post
accept
}
chain filter_FWD_iot_pre {
}
chain filter_FWD_iot_log {
}
chain filter_FWD_iot_deny {
}
chain filter_FWD_iot_allow {
}
chain filter_FWD_iot_post {
}
chain nat_PRE_iot {
jump nat_PREROUTING_POLICIES_pre
jump nat_PRE_iot_pre
jump nat_PRE_iot_log
jump nat_PRE_iot_deny
jump nat_PRE_iot_allow
jump nat_PRE_iot_post
jump nat_PREROUTING_POLICIES_post
}
chain nat_PRE_iot_pre {
}
chain nat_PRE_iot_log {
}
chain nat_PRE_iot_deny {
}
chain nat_PRE_iot_allow {
}
chain nat_PRE_iot_post {
}
chain mangle_PRE_iot {
jump mangle_PREROUTING_POLICIES_pre
jump mangle_PRE_iot_pre
jump mangle_PRE_iot_log
jump mangle_PRE_iot_deny
jump mangle_PRE_iot_allow
jump mangle_PRE_iot_post
jump mangle_PREROUTING_POLICIES_post
}
chain mangle_PRE_iot_pre {
}
chain mangle_PRE_iot_log {
}
chain mangle_PRE_iot_deny {
}
chain mangle_PRE_iot_allow {
}
chain mangle_PRE_iot_post {
}
chain filter_IN_public {
jump filter_INPUT_POLICIES_pre
jump filter_IN_public_pre
jump filter_IN_public_log
jump filter_IN_public_deny
jump filter_IN_public_allow
jump filter_IN_public_post
jump filter_INPUT_POLICIES_post
meta l4proto { icmp, ipv6-icmp } accept
reject with icmpx admin-prohibited
}
chain filter_IN_public_pre {
}
chain filter_IN_public_log {
}
chain filter_IN_public_deny {
}
chain filter_IN_public_allow {
tcp dport 61987 ct state { new, untracked } accept
udp dport 32400 ct state { new, untracked } accept
udp dport 31987 ct state { new, untracked } accept
}
chain filter_IN_public_post {
}
chain nat_POST_public {
jump nat_POSTROUTING_POLICIES_pre
jump nat_POST_public_pre
jump nat_POST_public_log
jump nat_POST_public_deny
jump nat_POST_public_allow
jump nat_POST_public_post
jump nat_POSTROUTING_POLICIES_post
}
chain nat_POST_public_pre {
}
chain nat_POST_public_log {
}
chain nat_POST_public_deny {
}
chain nat_POST_public_allow {
meta nfproto ipv4 oifname != "lo" masquerade
}
chain nat_POST_public_post {
}
chain filter_FWD_public {
jump filter_FORWARD_POLICIES_pre
jump filter_FWD_public_pre
jump filter_FWD_public_log
jump filter_FWD_public_deny
jump filter_FWD_public_allow
jump filter_FWD_public_post
jump filter_FORWARD_POLICIES_post
reject with icmpx admin-prohibited
}
chain filter_FWD_public_pre {
}
chain filter_FWD_public_log {
}
chain filter_FWD_public_deny {
}
chain filter_FWD_public_allow {
}
chain filter_FWD_public_post {
}
chain nat_PRE_public {
jump nat_PREROUTING_POLICIES_pre
jump nat_PRE_public_pre
jump nat_PRE_public_log
jump nat_PRE_public_deny
jump nat_PRE_public_allow
jump nat_PRE_public_post
jump nat_PREROUTING_POLICIES_post
}
chain nat_PRE_public_pre {
}
chain nat_PRE_public_log {
}
chain nat_PRE_public_deny {
}
chain nat_PRE_public_allow {
meta nfproto ipv4 tcp dport 61987 dnat ip to 10.20.30.87:22
meta nfproto ipv4 tcp dport 32400 dnat ip to 10.20.30.87:32400
}
chain nat_PRE_public_post {
}
chain mangle_PRE_public {
jump mangle_PREROUTING_POLICIES_pre
jump mangle_PRE_public_pre
jump mangle_PRE_public_log
jump mangle_PRE_public_deny
jump mangle_PRE_public_allow
jump mangle_PRE_public_post
jump mangle_PREROUTING_POLICIES_post
}
chain mangle_PRE_public_pre {
}
chain mangle_PRE_public_log {
}
chain mangle_PRE_public_deny {
}
chain mangle_PRE_public_allow {
}
chain mangle_PRE_public_post {
}
chain filter_IN_policy_allow-host-ipv6 {
jump filter_IN_policy_allow-host-ipv6_pre
jump filter_IN_policy_allow-host-ipv6_log
jump filter_IN_policy_allow-host-ipv6_deny
jump filter_IN_policy_allow-host-ipv6_allow
jump filter_IN_policy_allow-host-ipv6_post
}
chain filter_IN_policy_allow-host-ipv6_pre {
}
chain filter_IN_policy_allow-host-ipv6_log {
}
chain filter_IN_policy_allow-host-ipv6_deny {
}
chain filter_IN_policy_allow-host-ipv6_allow {
icmpv6 type nd-neighbor-advert accept
icmpv6 type nd-neighbor-solicit accept
icmpv6 type nd-router-advert accept
icmpv6 type nd-redirect accept
}
chain filter_IN_policy_allow-host-ipv6_post {
}
chain nat_PRE_policy_allow-host-ipv6 {
jump nat_PRE_policy_allow-host-ipv6_pre
jump nat_PRE_policy_allow-host-ipv6_log
jump nat_PRE_policy_allow-host-ipv6_deny
jump nat_PRE_policy_allow-host-ipv6_allow
jump nat_PRE_policy_allow-host-ipv6_post
}
chain nat_PRE_policy_allow-host-ipv6_pre {
}
chain nat_PRE_policy_allow-host-ipv6_log {
}
chain nat_PRE_policy_allow-host-ipv6_deny {
}
chain nat_PRE_policy_allow-host-ipv6_allow {
}
chain nat_PRE_policy_allow-host-ipv6_post {
}
chain mangle_PRE_policy_allow-host-ipv6 {
jump mangle_PRE_policy_allow-host-ipv6_pre
jump mangle_PRE_policy_allow-host-ipv6_log
jump mangle_PRE_policy_allow-host-ipv6_deny
jump mangle_PRE_policy_allow-host-ipv6_allow
jump mangle_PRE_policy_allow-host-ipv6_post
}
chain mangle_PRE_policy_allow-host-ipv6_pre {
}
chain mangle_PRE_policy_allow-host-ipv6_log {
}
chain mangle_PRE_policy_allow-host-ipv6_deny {
}
chain mangle_PRE_policy_allow-host-ipv6_allow {
}
chain mangle_PRE_policy_allow-host-ipv6_post {
}
chain filter_FWD_policy_iot-policy {
jump filter_FWD_policy_iot-policy_pre
jump filter_FWD_policy_iot-policy_log
jump filter_FWD_policy_iot-policy_deny
jump filter_FWD_policy_iot-policy_allow
jump filter_FWD_policy_iot-policy_post
drop
}
chain filter_FWD_policy_iot-policy_pre {
}
chain filter_FWD_policy_iot-policy_log {
}
chain filter_FWD_policy_iot-policy_deny {
}
chain filter_FWD_policy_iot-policy_allow {
}
chain filter_FWD_policy_iot-policy_post {
}
}Without accept as the last rule in the iot chain, I don't know how to have it allow traffic to the Internet any other way. With the iot-policy set to DROP with the out interface of enp4s0 or wg0 (the home zone), it appears to do exactly what I want (the Internet is still reachable). I would think certain IoT devices would need to connect to a service provider or at least to get software/firmware updates, hence the requirement to reach the Internet. I also use this network for guest WiFi users, unless they have a need to reach devices on my home network (like printers or network storage).
Offline
#11 2022-02-22 13:26:25
- -thc
- Member
- Registered: 2017-03-15
- Posts: 1,086
Re: [SOLVED!] firewalld zone does not have Internet access
Okay - if everything works now let's leave it at that.
(And I dislike firewalld even more than before.)
Offline
#12 2022-02-23 02:22:17
- ectospasm
- Member
- Registered: 2015-08-28
- Posts: 302
Re: [SOLVED!] firewalld zone does not have Internet access
-thc wrote:
Okay - if everything works now let's leave it at that.
(And I dislike firewalld even more than before.)
Thank you for your time, I think I understand the underlying nft subsystem better because of your efforts. I wasn't really clear on which one my router was using, nft or iptables. You've helped to clear that up (and I'm glad I only have nft rules unerneath).
My employer uses firewalld on its on-prem systems, so that's why I use it. I always struggled to master iptables previously, so firewalld is a very welcome abstraction in my mind. nft seems a bit more straighforward, but I will still use firewalld (it can only improve going forward). That's the beauty (and curse) of Arch, you use what you want and YOU get to put it back together when it breaks. I rather enjoyed this learning exercise, through it I also learned that direct rules are deprecated, and I finally got my iot->home block to work the way it's prescribed.
Again, thank you very much!
Last edited by ectospasm (2022-02-23 02:23:10)
Offline