I've just installed Fedora 19 and I'm using firewalld instead of iptables, but I'm having difficulty interpretting the new terminology.
I have 2 NICs. One is specificed ZONE="internal" and the other "external" in the ifcfg-* files, I have set ipv4.forwarding = 1 in /etc/sysctl.conf, and run firewall-cmd --zone=external --add-masquerade
However, when I attempt to route from any machine on the internal network I'm getting Destination Host Prohibited and of course if I disable firewalld the error goes away but then I lose masquerading.
In iptables there was a ruleset called FORWARD, but in firewalld I can only find --add-port-forward which isn't the same thing.
How do I allow routing in firewalld ?
... I made some progress ...
# firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ens4 -o eth1 -j ACCEPT
Will allow routing, but its not persistent, and doesn't allow the --permanent option. How do I make this persistent accross reboots?
Answer
Finally, I found the answer ...
# cat /etc/firewalld/direct.xml
[ -i eth0 -o eth1 -j ACCEPT ]
This feature appeared in firewalld-0.3.4-1.fc19 but there is no firewall-cmd support yet, and the man page was omitted, but it WORKS
Eventually found it in the following mailing list http://www.spinics.net/linux/fedora/fedora-security/msg01688.html
No comments:
Post a Comment