PDA

View Full Version : Need Expert help: Firewalld is corporate standard. Need Masq/SNAT. Not working.


gurunixx
6th September 2013, 04:09 AM
I work for a huge IT company. They have security tools that audit each linux OS. They are auditing F19 with 'firewalld' as the required component. I have it working in an hour with shorewall (my old girlfriend) - but I'm going to be in trouble. So I'm trying to get firewalld to work.

I've read every doc I could find. I've looked at every thread in these forums. They are largely very discouraging. So, I have tried gui, firewall-cmd, and rich rules. I am now using complex scripts that use 'firewall-cmd --direct --passthrough ipv4'. I've been tweaking, and now iptables looks great, but it refuses to work.

I have these networking interfaces:

em1: ethernet
enp0s20u1: cell phone tether
vboxnet0: vbox
virbr0: kvm
wlp3s0: wlan
vpn0: vpn

I'd like to forward from vboxnet0 (later, virbr0) to any outward facing interface (em1, enp0s20u1, vpn0). I'd like it to be NATted. I tried to check 'masq' in the GUI for the zoness that contain the necessary interfaces - it had no effect at all. Heck, I've tried too many things to list here, I'd lose all my readers.

How can I set this up using GUI, firewall-cmd, or the 'rich rules'? They all fail. "iptables -L -vn" and "iptables -t nat -vn" look fine. But the packets refuse to flow.

FYI, using --direct I can set up forwarding and SNAT. I log /everything/ and I see log entries for the forward, but the reverse path for established traffic is not working.

Lastly, I tried this rule and it looks like MASQUERADE is no longer a valide chain in firewalld? Or iptables? Is this firewalld or is iptables evolving again?

# firewall-cmd --direct --passthrough ipv4 -I POSTROUTING -s 10.1.0.0/16 -o tun0 -j MASQUERADE
Error: COMMAND_FAILED: '/sbin/iptables -I POSTROUTING -s 10.1.0.0/16 -o tun0 -j MASQUERADE' failed: iptables: No chain/target/match by that name.

If anyone can help, you'd be saving my bacon. And I'd be very grateful.

/Bill

hmmsjan
6th September 2013, 06:53 AM
Dear gurunixx,

Unfortunately, I'm not familiar with firewalld. The last command is invalid, because MASQUERADE
has to be entered into the "nat" table, the "-t nat" option is required.
How to fiddle this into firewalld scripts, I do not know.


Good luck

gurunixx
6th September 2013, 02:28 PM
OK, changed the thread title :-)

Thanks for the clear vision. Sometimes we get dirt in our teeth and can't see the forest......

All is working now. Without that back-door into iptables, though, there's no way I'd have gotten firewalld to work.

Just to make this actualy useful to anyone who follows - perhaps working for the same big company as I - here's the recipe.

a) forwarding rules

firewall-cmd --direct --passthrough ipv4 -I FORWARD -i vboxnet0 -o em1 -j ACCEPT
firewall-cmd --direct --passthrough ipv4 -I FORWARD -i em1 -o vboxnet0 -m state --state ESTABLISHED,RELATED -j ACCEPT

There are two commands there on two lines.

b) masquerading

firewall-cmd --direct --passthrough ipv4 -t nat -I POSTROUTING -o $2 -j MASQUERADE

Remember you have to find a way to run these after firewalld starts up, every
time it (re)starts.

/Bill

rheldaemon
7th September 2013, 05:32 PM
Have you already checked this site: https://fedoraproject.org/wiki/FirewallD?rd=FirewallD/

flyingfsck
7th September 2013, 06:22 PM
The general solution is to kill firewalld and just use iptables. As far as I can determine, firewalld is not meant for use in routers and servers, so it is best to blow it away:
http://www.aeronetworks.ca/2013/07/fedora-18-firewall-daemonology.html

twoerner
9th September 2013, 03:48 PM
You can add permanent direct rules soon. Version 0.3.4 has some support for this already, but only for the config file and without passthrough rules. Full permanent direct support will be there soon.

You could add something like this for now in /etc/firewalld/direct.xml

<?xml version="1.0" encoding="utf-8"?>
<direct>
<rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-i vboxnet0 -o vboxnet0 -j ACCEPT</rule>
<rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-i em1 -o vboxnet0 -m state --state ESTABLISHED,RELATED -j ACCEPT</rule>
<rule ipv="ipv4" table="nat" chain="POSTROUTING" priority="0">-o tun0 -j MASQUERADE</rule>
</direct>

It will be added at every start/restart/reload.

twoerner
9th September 2013, 04:28 PM
The general solution is to kill firewalld and just use iptables. As far as I can determine, firewalld is not meant for use in routers and servers, so it is best to blow it away:
http://www.aeronetworks.ca/2013/07/fedora-18-firewall-daemonology.html

This is not correct. Firewalld is meant to be used on servers. A big benefit for example is better libvirtd integration. On routers it might depend on your use case. If you have a completely static firewall setup and environment, then the ip*tables services might be a better choice for you. But you have to take care on name (scheme) changes for example for network interfaces on your own.