Firewall Configuration

Hi,
Greetings!
I need some help in configuring firewalld for my Rocky Linux 9.3 setup as a router. My setup is appended below:

  • Two NICs configured with in on zone “internal” and on zone “external”. A static route is created to which routed via on . With firewalld service running I am able to ping any host on from a host on . but not able to avail services on . If I stop firewalld service I am able to access the services on but no internet access through .
    Please help me. Thanking everyone in advance.

See RL9.3 firewalld 2 zones - #3 by jlehtone

Hi @jlehtone
Thanks for the response.
With the static routing, firewalld rules and policies I am able to browse internet from all internal hosts. But unable to avail services from another private network. The data has to flow through internal nic to another gateway which is not happening.

Lets try to be more clear.

There are clearly at least two subnets? I’ll call the first two “LAN” and “WAN”.
Lets say the LAN is 10.0.0.0/24 and WAN is 10.20.0.0/24 for the example.

Everyone, who has interface on LAN does have automatic, link-local route
to 10.0.0.0/24 from interface.
The Rocky router has interface “internal” on LAN and it has address 10.0.0.254.
Everybody else on LAN has default via 10.0.0.254

The Rocky router has interface “external” on LAN and it has address 10.20.0.1.
Therefore, it has another link-local route to 10.20.0.0/24 from external.

Presumably, the WAN has an another router (10.20.0.254) too, the gateway to elsewhere,
and the Rocky has therefore route default via 10.20.0.254


Given that base, what/where is the “another private network”?

The another router is not on the WAN, but on LAN. I have another network 10.10.0.0/24 for which the route is via 10.0.0.253 (which is same LAN, static routed).
If I stop firewalld, I could avail services from the network 10.10.0.0/24 but no internet on WAN.
If I start firewalld, I could avail service of internet from WAN but no services from network 10.10.0.0/24.

In other words, the LAN has a second router with address 10.0.0.253 that is the gateway to SRV 10.10.0.0/24?

Logically, every member of LAN has additional route: to 10.10.0.0/24 via 10.0.0.253
(that I would give them via DHCP). Since this would have nothing to do with the Rocky router, its config should not matter.

Yes.

All the windows hosts in 10.0.0.0/24 has 10.0.0.254 as gateway. So traffic has path like host > 10.0.0.254 > 10.0.0.253 > 10.10.0.0/24 and back.

This is working with my other similar setup. In it is Rocky Linux 9.0. As the HDD of that system is about fail I am installing latest Rocky Linux 9.3 but encountering this problem.

However I planning to re-install Rocky Linux 9.0 and hope that will work.

Thank you for your responses.

Ok, host (10.0.0.3) creates a packet: SRC=10.0.0.3 DST=10.10.0.7
Not link-local, so it goes to 10.0.0.254.
Router A has route to 10.10.0.0/24, so it forwards the SRC=10.0.0.3 DST=10.10.0.7 to B 10.0.0.253.
Router B forwards SRC=10.0.0.3 DST=10.10.0.7 towards destination.

10.10.0.7 creates a reply and it gets to router B. Where does B send SRC=10.10.0.7 DST=10.0.0.3?
To link-local 10.0.0.3. All that seems ok, despite the asymmetry.

Except perhaps the fact that A receives from internal zone and forwards it to internal zone. Same interface, nonetheless.

Does internal zone allow such forwards? You can check the actual rules from kernel with:

nft list ruleset

Are there rules to allow the intra-zone forward?


IMHO, it would be much cleaner if all the hosts on LAN had the static route. As said, one can (and should) use DHCP to configure them.

Hi @jlehtone

As said earlier, created the static routes during re-installation of Rocky Linux 9.3 and completed setup. Now my requirements are satisfied.

Thanks for your support.

If I want to use a Linux box as firewall, then I’d use iptables, and remove any other firewall tools and even NetworkManager. This makes my life 10 times easier.

The OP’s issue can be fixed instead of the re-installation of the OS. Based on jlehtone’s analysis, I would like to fix the asymmetrical path. I put two options here:

Option 1: To allow asymmetry in this case, add a FORWARD rule like this:
FORWARD -s 10.0.0.0/24 -d 10.10.0.0/24 -m state --state INVALID -j ACCEPT
Be care of the order of this rule. Put it before a similar DROP rule, something like this:
FORWARD -m state --state INVALID -j DROP

Option 2: To avoid asymmetry, then add a POSTROUTING rule:
POSTROUTING -s 10.0.0.0/24 -d 10.10.0.0/24 -j MASQUERADE

So choose one of options, it should work. But anyway we need a clear picture of firewall rules.

When you know what you are doing, (although with FirewallD knowing does not seem to help as much).

RHEL 8 and RHEL 9 (and hence both Rocky) does have nf-tables in kernel. (In fact, Red Hat did backport nf-tables into RHEL 7 kernel too.) There is thus no more legacy iptables in Rocky, the command ‘iptables’ is a mere wrapper to nftables, the tool to use is nft, and the corresponding alternative to firewalld.service is nftables.service.

Therefore,

If I want to use a Linux box as firewall, then I’d use nftables, …


Red Hat does push NetworkManager, and with package NetworkManager-config-server it “behaves” decently. Add use of Ansible role rhel-system-roles.network and you don’t have to talk to NetworkManager directly.