Firewalld and Masqueradeing

preema · November 19, 2021, 5:45pm

Greetings,

since beginning of september (2021), I am searching in internet a solution how to solve broken firewalld. Masquerading is not working and your solution here is not working fo me as well. Something is different.
My computer is in this configuration.

network card0 (eth0) - manual ip configuration 10.x.y.z, ipv4 only, zone external, connected to wan
network card1 (eth1) - bridged by br0 virtual network card, zone home, connected to lan
network card2 (br0) - manual ip configuration 172.16.0.1/12, ipv4 only, zone home, virtualized machines connected through this interface.

br0 was used as a gateway for this virtual machines and for devices connected into lan, but when firewalld version 1.xy become into openSUSE tumbleweed, it stop works. Commands mentioned here are working but last rule. If I enter


firewall-cmd --permanent --policy AccessInternet --add-rich-rule='rule family="ipv4" source="172.16.0.0/12" accept'

an error is thrown and masquerade doesn’t work.


Error: INVALID_RULE: bad attribute 'source'

There is no service running on virtualized machines, which must be accessible from internet.

May I ask You for a help?

Thank You

arvidjaar · November 20, 2021, 7:46am

What solution?

when firewalld version 1.xy become into openSUSE tumbleweed, it stop works.

What stopped working? If you configured something and it does not work - explain what you did, show your configuration. Otherwise we have no way to comment on it.

If I enter

firewall-cmd --permanent --policy AccessInternet --add-rich-rule=‘rule family=“ipv4” source=“172.16.0.0/12” accept’

an error is thrown and masquerade doesn’t work.

Error: INVALID_RULE: bad attribute ‘source’

Rule syntax is wrong. It should be

source address="172.16.0.0/12"

Did you try to read documentation?

preema · November 20, 2021, 8:22am

Because this question was moved from original thread

https://forums.opensuse.org/showthread.php/558656-firewalld-1-0-no-more-direct-rules-how-to-add-nat-masquerade/page2

there is a missing context of the original thread. Before mentioned failing command, there were these three command applied before this one.


# firewall-cmd --permanent --new-policy AccessInternet
# firewall-cmd --permanent --policy AccessInternet --add-ingress-zone home
# firewall-cmd --permanent --policy AccessInternet --add-egress-zone external

The result of all of them was: success
Access to internet from home zone was not possible and the ping command to external gateway (gateway for host system) report “Destination port unreachable”, but ping from home zone to eth0 was working as expected.

man: firewalld.policies contains no relevant information about policies

My requests for zones are:
external: nothing is accessible from internet, but selected services from discrete end points.
home: nothing is blocked. There are only trusted devices. Virtualized machines have to be accessible from home zone (lan) as other physical devices connected to network.

Thank You

preema · November 20, 2021, 8:32am

SOLVED!

there is an error in “source=…”, it must be “source address=…”, then reload a firewall.

Thank You arvidjaar.