Opensuse 15.6 upgrade - masquerade/nat no loonger working (firewalld)

I successfully upgraded openSUSE 15.5 to openSUSE 15.6

But now I can no longer use this machine as router /nat / firewall between networks.
I configured a long time ago the following:
PC1, PC2 in network A (internal)
Linux PC with one network card in network A and a second card in network B.
Network B is behind my internet router and will give access to the internet.
The Linux PC will also act as a firewall against network B.

Network card eth0 will is attached to network A and eth1 to network B.

Everything worked until I upgraded to the new version.

I already checked:

  • setting of firewall zone for the network cards in yast (the eth0 had been in the external zone but I changed it to the internal zone)
  • firewallD settings - I still have the old settings (see also below) and masquerade in external zone is active.
  • sysctl parameter net.ipv4.ip_forward = 1 is set
  • my old rules are present
    pv4 filter FORWARD 10 -i eth0 -o eth1 -j ACCEPT
    ipv4 filter FORWARD 10 -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
    ipv4 nat POSTROUTING 10 -o eth1 -j MASQUERADE
  • several reboots done.
  • deactivated and reactivated masquerade setting
  • tried setting a policy (internet tip) - without success
  • network ist configured using wicked service

The “router” / Linux PC can reach both networks.
Just the PC1, PC2 from the internal network can not reach the internet.
But they can ping and login to the Linux PC.

Has anyone an idea, what I can check to solve my problem ?
I can not see the error.

1 Like

Verbal descriptions are not always sufficient. Please show us the actual current firewalld configuration.

sudo firewalld-cmd --list-all-zones

What are those rules? Where these rules are defined?

Provide full output of

nft list ruleset
iptables -L -n -v
iptables -L -n -v -t nat

upload to https://paste.opensuse.org/

I just want to prevent a long list:
firewall-cmd --list-all-zones
block
target: %%REJECT%%
ingress-priority: 0
egress-priority: 0
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

dmz
target: default
ingress-priority: 0
egress-priority: 0
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

docker (active)
target: ACCEPT
ingress-priority: 0
egress-priority: 0
icmp-block-inversion: no
interfaces: docker0
sources:
services:
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

drop
target: DROP
ingress-priority: 0
egress-priority: 0
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

external (default, active)
target: default
ingress-priority: 0
egress-priority: 0
icmp-block-inversion: no
interfaces: eth1
sources:
services: ssh
ports:
protocols:
forward: no
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:

home
target: default
ingress-priority: 0
egress-priority: 0
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

internal (active)
target: default
ingress-priority: 0
egress-priority: 0
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcp dhcpv6 dhcpv6-client dns http https mdns nfs nfs3 ntp samba samba-client ssh vsftpd
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

nm-shared
target: ACCEPT
ingress-priority: 0
egress-priority: 0
icmp-block-inversion: no
interfaces:
sources:
services: dhcp ssh
ports:
protocols: icmp ipv6-icmp
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule priority=“32767” reject

public
target: default
ingress-priority: 0
egress-priority: 0
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

trusted
target: ACCEPT
ingress-priority: 0
egress-priority: 0
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

work
target: default
ingress-priority: 0
egress-priority: 0
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

And the part for the direct rules:
firewall-cmd --direct --get-all-rules
ipv4 filter FORWARD 10 -i eth0 -o eth1 -j ACCEPT
ipv4 filter FORWARD 10 -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
ipv4 nat POSTROUTING 10 -o eth1 -j MASQUERADE

The old rules were defined by firewall-cmd commands.
I am not using iptables directly.
Something like:
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 10 -o eth1 -j MASQUERADE
firewall-cmd --direct --add-rule ipv4 filter FORWARD 10 -i eth0 -o eth1 -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter FORWARD 10 -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

In the past, I faced my problem several times after upgrading openSUSE.
Then just the masquered setting on the external zone for the device was gone.
But this time, it is enabled.

I checked my configuration and it should work like in the past. I can not see, what is wrong now.
It seems just the forwarding is no longer working.

more output – sysctl:
cat /etc/sysctl.conf |grep -v “#”

cat /etc/sysctl.d/70-yast.conf |grep -v “#”
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.disable_ipv6 = 1

sysctl -a | grep ipv4|grep forw
net.ipv4.conf.all.bc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.bc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.eth0.bc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth1.bc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.lo.bc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0

output of “ip addr” :
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 80:ee:73:f9:62:ac brd ff:ff:ff:ff:ff:ff
altname enp1s0
inet 192.168.0.10/24 brd 192.168.0.255 scope global eth0
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 80:ee:73:f9:62:ab brd ff:ff:ff:ff:ff:ff
altname eno1
altname enp0s31f6
inet 192.168.178.200/24 brd 192.168.178.255 scope global eth1
valid_lft forever preferred_lft forever

Anyone an idea what could be wrong ?

It seems setting a policy helped:
firewall-cmd --list-all-policies
firewall-cmd --permanent --new-policy=
firewall-cmd --permanent --policy= --add-ingress-zone=internal
firewall-cmd --permanent --policy= --add-egress-zone=external
firewall-cmd --permanent --policy= --set-target=ACCEPT
firewall-cmd --reload
firewall-cmd --list-all-policies

3 Likes

thanks your thread saved my situation, wondering where the exact differences from 15.5 to 15.6 are exactly, on machine with still 15.5 I dont see a policies-set except for the default allow-host-ipv6, which is also present the same way in both 15.6 and 15.5

so how come there is such a relevant massive change when it comes to routing and masquerading. was also using simple leap setups for this. a long time ago I used to use shorewall, and I very much liked the config files there, I must have gotten unfamiliar with all the aspects of the network stack and firewalling and packet flow.

If I have understood this correctly from the instructions, communication between zones has now been interrupted by default with FirewallD.
Therefore, this must now be explicitly activated.
However, I have only seen the way to do this via policies.
Some frequently used ways will also no longer be supported in the future (perhaps even with this version).

1 Like

where have you read about these changes? any documentation about this anywhere? thanks. the policy name can be just anything i make up, right? is there a best practices in such cases to name the policy a certain way? also how does this all correspond to the zone names that come with a normal opensuse installation, such as work, trusted, home, dmz, external, internal but also such weird rather technical names as drop, block etc… I wonder what I am still missing and not understanding just yet.

The name of the policy can be choosen as you like - I think just up to 18 characters.
I would name it that way humans can understand. You have one more to create when you use hostapd.
The name could be something like “fwd-int-ext” - personally I would add a short combination of characters to mark it as a policy I created - not a system generated or default one. I often use then an abbreviation of my name or my company.

The default zones are a kind of best practice to use.
A overview can be found here: Firewalld zone concept
A little bit regarding policies can also found here: Firewalld Policies

I read so many documents in the last days - I could tell you where I found some small snippets which lead me to this solution.

I think the firewalld project was to quite to tell everyone about the new features. You will find in the internet most of the time the old way to configure this functionality.

yes thanks, I was just wondering where exactly came the change introduced in some kind of default policies that become applied which now block traffic flow on leap 15.6 in contrast to before. maybe some firewalld changelog or so will show something. thanks.

Upstream changes can be followed here:

Thank you! This should be in the release notes!

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.