Page 1 of 4 123 ... LastLast
Results 1 to 10 of 40

Thread: How to configure firewalld to act as a router for specific interfaces?

  1. #1

    Question How to configure firewalld to act as a router for specific interfaces?

    Hi,

    I am looking for a way to use (internal, LAN) interface eth0 to provide Internet comming from (external) interface eth1.

    Based on this info I have set:

    Code:
    # cat /etc/firewalld/direct.xml
    <?xml version="1.0" encoding="utf-8"?>
    <direct>
      <rule ipv="ipv4" table="nat" chain="POSTROUTING" priority="0">-o eth1 -j MASQUERADE</rule>
      <rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-i eth0 -o eth1 -j ACCEPT</rule>
      <rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT</rule>
    </direct>
    and also in /etc/sysctl.conf (applied using 'sysctl -p'):

    Code:
    net.ipv4.ip_forward = 0
    net.ipv4.conf.eth0.forwarding = 1
    but it doesn't work unless I also set:

    Code:
    net.ipv4.ip_forward = 1
    which as far as I understand enables forwarding for all interfaces (which I don't want) and not only for eth0 (which I want). According to kernel documentation of sysctl:

    conf/interface/* changes special settings per interface (where
    "interface" is the name of your network interface)
    ...
    forwarding - BOOLEAN
    Enable IP forwarding on this interface. This controls whether packets
    received _on_ this interface can be forwarded.
    Am I misunderstanding the docs and how should this be set correctly?

  2. #2
    Join Date
    Sep 2012
    Posts
    4,669

    Default Re: How to configure firewalld to act as a router for specific interfaces?

    Quote Originally Posted by heyjoe View Post
    forwarding for all interfaces (which I don't want) and not only for eth0 (which I want)
    You cannot forward from eth0 to eth1 without forwarding replies from eth1 to eth0
    Am I misunderstanding the docs
    Yes
    and how should this be set correctly?
    You set net.ipv4.ip_forward = 1.

    P.S. Your literal question in subject has no answer because firewalld has absolutely nothing to do with routing.

  3. #3

    Default Re: How to configure firewalld to act as a router for specific interfaces?

    Quote Originally Posted by arvidjaar View Post
    You cannot forward from eth0 to eth1 without forwarding replies from eth1 to eth0
    OK, with this I have Internet connection on the LAN machines:

    Code:
    net.ipv4.ip_forward = 0
    net.ipv4.conf.eth0.forwarding = 1
    net.ipv4.conf.eth1.forwarding = 1
    Is the above a correct set up?

    You set net.ipv4.ip_forward = 1.
    Won't that enable forwarding for all interfaces?

    P.S. Your literal question in subject has no answer because firewalld has absolutely nothing to do with routing.
    I am not a network expert, so I may have been mislead to put it this way because it was asked similarly in the first link.

  4. #4
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    9,591
    Blog Entries
    1

    Default Re: How to configure firewalld to act as a router for specific interfaces?

    Mmmmm....
    I'm sorry to "post and run" in this case because I'm in the middle of something that demands my attention, and on top of that I haven't looked at this that closely recently, but my understanding is that netfilter and current ip tools support a kind of "session state" so you likely <should not> be configuring ip forwarding in both directions (because you're implementing NAT).

    If you want to manually configure your NAT iptables rules, a quick Internet search returns the following two articles which I consider reliable and authoritative, and neither configure a forwarding rule for "replies," instead rely on the kernel netfilter module and the conntrack module. Note that these two references do <not> meld together perfectly, in one case the instructions use the sysctl command to temporarily apply a rule and/etc/sysctl to apply rules persistently and in another case makes a call directly to /proc/sys, you will want to know that both methods are ways to accomplish the same thing, but using /etc/sysctl is safer because if you make a mistake, the rule just isn't applied whereas a bad call to /proc/sys/ can lock up your machine. And, I haven't looked at configuring using firewalld's xml files in which case perhaps sysctl and /proc/sys/ wouldn't even be used.

    https://access.redhat.com/documentat...l-ipt-fwd.html
    https://www.karlrupp.net/en/computer/nat_tutorial

    Maybe in the "old days" before ip a forwarding rule might have been required for replies but not so today.

    Sorry to post and run...
    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  5. #5
    Join Date
    Sep 2012
    Posts
    4,669

    Default Re: How to configure firewalld to act as a router for specific interfaces?

    Quote Originally Posted by heyjoe View Post
    Is the above a correct set up?
    No
    Won't that enable forwarding for all interfaces?
    This will enable forwarding. Without further qualification. Without this setting no forwarding happens at all.

  6. #6
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    9,591
    Blog Entries
    1

    Default Re: How to configure firewalld to act as a router for specific interfaces?

    You should be able to configure NAT without handcrafting your config files...

    1. Launch firewall-config (eg YaST Firewall module)
    2. Your network interfaces should be listed in the "Active Bindings" pane to the far left.
    3. Select your LAN interface (facing your LAN). Set to the "internal" zone
    4. Select your WAN interface (facing the Internet). It should already be assigned to the "public" zone or you need to set accordingly. Scroll the tabs until you reach the "Masquerading" tab. Check the "Masquerade Zone" checkbox.
    5. Reload the firewall daemon.

    Remember that you should be configuring "Runtime" for now until you are sure you have configured what you want.
    Once you are sure of your configuration, then switch to "Permanent" and re-apply your settings.

    Test.

    Post your results, your LAN clients should be able to connect to resources on the Internet while nothing from the Internet should be able to initiate a connection to your LAN clients.

    If not working, then we'll need to take a closer look at your firewall modules(typically you should see an error in your journal).

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  7. #7
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    19,149
    Blog Entries
    1

    Default Re: How to configure firewalld to act as a router for specific interfaces?

    Along with enabling IP forwarding in the kernel IP stack, it is the firewall rules which then decide how such packets are filtered/forwarded etc.
    Last edited by deano_ferrari; 24-Oct-2018 at 23:47.
    openSUSE Leap 15.0; KDE Plasma 5

  8. #8

    Default Re: How to configure firewalld to act as a router for specific interfaces?

    Quote Originally Posted by arvidjaar View Post
    No
    May I ask why please?

    This will enable forwarding. Without further qualification. Without this setting no forwarding happens at all.
    How do you restrict it to specific interface?

    @tsu2 - thanks for the links. I will have a deeper look at that (seems I have a lot to learn).

  9. #9
    Join Date
    Sep 2012
    Posts
    4,669

    Default Re: How to configure firewalld to act as a router for specific interfaces?

    Quote Originally Posted by heyjoe View Post
    May I ask why please?
    I answered this in the next sentence in the post you are replying to.
    How do you restrict it to specific interface?
    Forwarding by definition cannot be restricted "to specific interface" because it requires at least two interfaces. You probably need to step back and explain what you are trying to achieve instead of showing how you are trying to do it. I have a feeling that we mean something different when speaking about "forwarding".

  10. #10

    Default Re: How to configure firewalld to act as a router for specific interfaces?

    Quote Originally Posted by arvidjaar View Post
    You probably need to step back and explain what you are trying to achieve instead of showing how you are trying to do it.
    Sharing of Internet connection with the LAN machines following the principle "drop all, allow explicitly only what is needed".
    On the particular machine I am trying to do it: External interface: eth1. Internal interface: eth0.

    Many years ago on an old RedHat version a friend showed me how to do it this way but I couldn't find a way to use this method with SuSEfirewall2 and now when it is replaced with firewalld I suppose it would be more relevant to learn how to all this using the modern tools like firewalld and nftables (and whatever else applies).

    So that is what I am trying to learn.

Page 1 of 4 123 ... LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •