Thank you for the SOCKS5 trick! :).
So new outbound connections do work. The problem is after the connection is established, it basically just times out on my end. Such as: tcpdump
shows the wget
call (as an example) connect, and send the GET /
… But that’s where it ends. So port 80 is open for outbound. Content isn’t routed back. However, icmp is working fine.
In your example for the policty you’re using CONTINUE
ast the target. i’m using ACCEPT
as the target. want all traffic issued for outbound within the local network to go as normal. So i don’t belive the exclusive service adds (http
, https
, etc) are required. not to mention the traffic is going out… it’s just hanging… here is an example:
wget yahoo.ca
--2022-09-18 16:55:33-- http://yahoo.ca/
Resolving yahoo.ca (yahoo.ca)... 74.6.136.150, 98.136.103.23, 212.82.100.150
Connecting to yahoo.ca (yahoo.ca)|74.6.136.150|:80... connected.
HTTP request sent, awaiting response...
<hung>
# But you can see the connection is established... wireshark shows the GET / going out too
# No response back... :(
Edit:
One difference i see is you performing your policy at -1
while i was using 100
. It tried moving it to -1
without any luck. I also tried just adding http
as a service to it and still same results… ICMP works, Connection works, but beyond just establishing the connection, that’s the end of it
Here are some more outputs for you.
firewall-cmd --get-active-zones
docker
interfaces: docker0
external
interfaces: eno8303
internal
interfaces: eno8403
firewall-cmd --zone=external --list-all
external (active)
target: default
icmp-block-inversion: no
interfaces: eno8303
sources:
services: http https ssh
ports:
protocols:
forward: no
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
firewall-cmd --zone=internal --list-all
internal (active)
target: default
icmp-block-inversion: no
interfaces: eno8403
sources:
services: cockpit dhcp dhcpv6-client dns http https mdns mysql ntp postgresql samba samba-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
firewall-cmd --list-all-policies
allow-host-ipv6 (active)
priority: -15000
target: CONTINUE
ingress-zones: ANY
egress-zones: HOST
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv6" icmp-type name="neighbour-advertisement" accept
rule family="ipv6" icmp-type name="neighbour-solicitation" accept
rule family="ipv6" icmp-type name="router-advertisement" accept
rule family="ipv6" icmp-type name="redirect" accept
int_to_ext (active)
priority: 100
target: ACCEPT
ingress-zones: internal
egress-zones: external
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
nft list ruleset
table inet firewalld {
ct helper helper-netbios-ns-udp {
type "netbios-ns" protocol udp
l3proto ip
}
chain mangle_PREROUTING {
type filter hook prerouting priority mangle + 10; policy accept;
jump mangle_PREROUTING_ZONES
}
chain mangle_PREROUTING_POLICIES_pre {
jump mangle_PRE_policy_allow-host-ipv6
}
chain mangle_PREROUTING_ZONES {
iifname "docker0" goto mangle_PRE_docker
iifname "eno8403" goto mangle_PRE_internal
iifname "eno8303" goto mangle_PRE_external
goto mangle_PRE_external
}
chain mangle_PREROUTING_POLICIES_post {
}
chain nat_PREROUTING {
type nat hook prerouting priority dstnat + 10; policy accept;
jump nat_PREROUTING_ZONES
}
chain nat_PREROUTING_POLICIES_pre {
jump nat_PRE_policy_allow-host-ipv6
}
chain nat_PREROUTING_ZONES {
iifname "docker0" goto nat_PRE_docker
iifname "eno8403" goto nat_PRE_internal
iifname "eno8303" goto nat_PRE_external
goto nat_PRE_external
}
chain nat_PREROUTING_POLICIES_post {
}
chain nat_POSTROUTING {
type nat hook postrouting priority srcnat + 10; policy accept;
jump nat_POSTROUTING_ZONES
}
chain nat_POSTROUTING_POLICIES_pre {
}
chain nat_POSTROUTING_ZONES {
oifname "docker0" goto nat_POST_docker
oifname "eno8403" goto nat_POST_internal
oifname "eno8303" goto nat_POST_external
goto nat_POST_external
}
chain nat_POSTROUTING_POLICIES_post {
}
chain filter_PREROUTING {
type filter hook prerouting priority filter + 10; policy accept;
icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
meta nfproto ipv6 fib saddr . mark . iif oif missing log prefix "rpfilter_DROP: " drop
}
chain filter_INPUT {
type filter hook input priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
jump filter_INPUT_ZONES
ct state { invalid } log prefix "STATE_INVALID_DROP: "
ct state { invalid } drop
log prefix "FINAL_REJECT: "
reject with icmpx type admin-prohibited
}
chain filter_FORWARD {
type filter hook forward priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } log prefix "RFC3964_IPv4_REJECT: " reject with icmpv6 type addr-unreachable
jump filter_FORWARD_ZONES
ct state { invalid } log prefix "STATE_INVALID_DROP: "
ct state { invalid } drop
log prefix "FINAL_REJECT: "
reject with icmpx type admin-prohibited
}
chain filter_OUTPUT {
type filter hook output priority filter + 10; policy accept;
ct state { established, related } accept
oifname "lo" accept
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } log prefix "RFC3964_IPv4_REJECT: " reject with icmpv6 type addr-unreachable
jump filter_OUTPUT_POLICIES_pre
jump filter_OUTPUT_POLICIES_post
}
chain filter_INPUT_POLICIES_pre {
jump filter_IN_policy_allow-host-ipv6
}
chain filter_INPUT_ZONES {
iifname "docker0" goto filter_IN_docker
iifname "eno8403" goto filter_IN_internal
iifname "eno8303" goto filter_IN_external
goto filter_IN_external
}
chain filter_INPUT_POLICIES_post {
}
chain filter_FORWARD_POLICIES_pre {
}
chain filter_FORWARD_ZONES {
iifname "docker0" goto filter_FWD_docker
iifname "eno8403" goto filter_FWD_internal
iifname "eno8303" goto filter_FWD_external
goto filter_FWD_external
}
chain filter_FORWARD_POLICIES_post {
iifname { "eno8403" } oifname { "eno8303" } jump filter_FWD_policy_int_to_ext
}
chain filter_OUTPUT_POLICIES_pre {
}
chain filter_OUTPUT_POLICIES_post {
}
chain filter_IN_external {
jump filter_INPUT_POLICIES_pre
jump filter_IN_external_pre
jump filter_IN_external_log
jump filter_IN_external_deny
jump filter_IN_external_allow
jump filter_IN_external_post
jump filter_INPUT_POLICIES_post
meta l4proto { icmp, ipv6-icmp } accept
log prefix ""filter_IN_external_REJECT: ""
reject with icmpx type admin-prohibited
}
chain filter_IN_external_pre {
}
chain filter_IN_external_log {
}
chain filter_IN_external_deny {
}
chain filter_IN_external_allow {
tcp dport 22 ct state { new, untracked } accept
tcp dport 80 ct state { new, untracked } accept
tcp dport 443 ct state { new, untracked } accept
}
chain filter_IN_external_post {
}
chain nat_POST_external {
jump nat_POSTROUTING_POLICIES_pre
jump nat_POST_external_pre
jump nat_POST_external_log
jump nat_POST_external_deny
jump nat_POST_external_allow
jump nat_POST_external_post
jump nat_POSTROUTING_POLICIES_post
}
chain nat_POST_external_pre {
}
chain nat_POST_external_log {
}
chain nat_POST_external_deny {
}
chain nat_POST_external_allow {
meta nfproto ipv4 oifname != "lo" masquerade
}
chain nat_POST_external_post {
}
chain filter_FWD_external {
jump filter_FORWARD_POLICIES_pre
jump filter_FWD_external_pre
jump filter_FWD_external_log
jump filter_FWD_external_deny
jump filter_FWD_external_allow
jump filter_FWD_external_post
jump filter_FORWARD_POLICIES_post
log prefix ""filter_FWD_external_REJECT: ""
reject with icmpx type admin-prohibited
}
chain filter_FWD_external_pre {
}
chain filter_FWD_external_log {
}
chain filter_FWD_external_deny {
}
chain filter_FWD_external_allow {
}
chain filter_FWD_external_post {
}
chain nat_PRE_external {
jump nat_PREROUTING_POLICIES_pre
jump nat_PRE_external_pre
jump nat_PRE_external_log
jump nat_PRE_external_deny
jump nat_PRE_external_allow
jump nat_PRE_external_post
jump nat_PREROUTING_POLICIES_post
}
chain nat_PRE_external_pre {
}
chain nat_PRE_external_log {
}
chain nat_PRE_external_deny {
}
chain nat_PRE_external_allow {
}
chain nat_PRE_external_post {
}
chain mangle_PRE_external {
jump mangle_PREROUTING_POLICIES_pre
jump mangle_PRE_external_pre
jump mangle_PRE_external_log
jump mangle_PRE_external_deny
jump mangle_PRE_external_allow
jump mangle_PRE_external_post
jump mangle_PREROUTING_POLICIES_post
}
chain mangle_PRE_external_pre {
}
chain mangle_PRE_external_log {
}
chain mangle_PRE_external_deny {
}
chain mangle_PRE_external_allow {
}
chain mangle_PRE_external_post {
}
chain filter_IN_policy_allow-host-ipv6 {
jump filter_IN_policy_allow-host-ipv6_pre
jump filter_IN_policy_allow-host-ipv6_log
jump filter_IN_policy_allow-host-ipv6_deny
jump filter_IN_policy_allow-host-ipv6_allow
jump filter_IN_policy_allow-host-ipv6_post
}
chain filter_IN_policy_allow-host-ipv6_pre {
}
chain filter_IN_policy_allow-host-ipv6_log {
}
chain filter_IN_policy_allow-host-ipv6_deny {
}
chain filter_IN_policy_allow-host-ipv6_allow {
icmpv6 type nd-neighbor-advert accept
icmpv6 type nd-neighbor-solicit accept
icmpv6 type nd-router-advert accept
icmpv6 type nd-redirect accept
}
chain filter_IN_policy_allow-host-ipv6_post {
}
chain nat_PRE_policy_allow-host-ipv6 {
jump nat_PRE_policy_allow-host-ipv6_pre
jump nat_PRE_policy_allow-host-ipv6_log
jump nat_PRE_policy_allow-host-ipv6_deny
jump nat_PRE_policy_allow-host-ipv6_allow
jump nat_PRE_policy_allow-host-ipv6_post
}
chain nat_PRE_policy_allow-host-ipv6_pre {
}
chain nat_PRE_policy_allow-host-ipv6_log {
}
chain nat_PRE_policy_allow-host-ipv6_deny {
}
chain nat_PRE_policy_allow-host-ipv6_allow {
}
chain nat_PRE_policy_allow-host-ipv6_post {
}
chain mangle_PRE_policy_allow-host-ipv6 {
jump mangle_PRE_policy_allow-host-ipv6_pre
jump mangle_PRE_policy_allow-host-ipv6_log
jump mangle_PRE_policy_allow-host-ipv6_deny
jump mangle_PRE_policy_allow-host-ipv6_allow
jump mangle_PRE_policy_allow-host-ipv6_post
}
chain mangle_PRE_policy_allow-host-ipv6_pre {
}
chain mangle_PRE_policy_allow-host-ipv6_log {
}
chain mangle_PRE_policy_allow-host-ipv6_deny {
}
chain mangle_PRE_policy_allow-host-ipv6_allow {
}
chain mangle_PRE_policy_allow-host-ipv6_post {
}
chain filter_IN_internal {
jump filter_INPUT_POLICIES_pre
jump filter_IN_internal_pre
jump filter_IN_internal_log
jump filter_IN_internal_deny
jump filter_IN_internal_allow
jump filter_IN_internal_post
jump filter_INPUT_POLICIES_post
meta l4proto { icmp, ipv6-icmp } accept
log prefix ""filter_IN_internal_REJECT: ""
reject with icmpx type admin-prohibited
}
chain filter_IN_internal_pre {
}
chain filter_IN_internal_log {
}
chain filter_IN_internal_deny {
}
chain filter_IN_internal_allow {
tcp dport 22 ct state { new, untracked } accept
ip daddr 224.0.0.251 udp dport 5353 ct state { new, untracked } accept
ip6 daddr ff02::fb udp dport 5353 ct state { new, untracked } accept
udp dport 137 ct helper set "helper-netbios-ns-udp"
udp dport 137 ct state { new, untracked } accept
udp dport 138 ct state { new, untracked } accept
ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
tcp dport 9090 ct state { new, untracked } accept
tcp dport 80 ct state { new, untracked } accept
tcp dport 443 ct state { new, untracked } accept
udp dport 67 ct state { new, untracked } accept
udp dport 123 ct state { new, untracked } accept
tcp dport 53 ct state { new, untracked } accept
udp dport 53 ct state { new, untracked } accept
tcp dport 3306 ct state { new, untracked } accept
tcp dport 5432 ct state { new, untracked } accept
tcp dport 139 ct state { new, untracked } accept
tcp dport 445 ct state { new, untracked } accept
}
chain filter_IN_internal_post {
}
chain nat_POST_internal {
jump nat_POSTROUTING_POLICIES_pre
jump nat_POST_internal_pre
jump nat_POST_internal_log
jump nat_POST_internal_deny
jump nat_POST_internal_allow
jump nat_POST_internal_post
jump nat_POSTROUTING_POLICIES_post
}
chain nat_POST_internal_pre {
}
chain nat_POST_internal_log {
}
chain nat_POST_internal_deny {
}
chain nat_POST_internal_allow {
}
chain nat_POST_internal_post {
}
chain filter_FWD_internal {
jump filter_FORWARD_POLICIES_pre
jump filter_FWD_internal_pre
jump filter_FWD_internal_log
jump filter_FWD_internal_deny
jump filter_FWD_internal_allow
jump filter_FWD_internal_post
jump filter_FORWARD_POLICIES_post
log prefix ""filter_FWD_internal_REJECT: ""
reject with icmpx type admin-prohibited
}
chain filter_FWD_internal_pre {
}
chain filter_FWD_internal_log {
}
chain filter_FWD_internal_deny {
}
chain filter_FWD_internal_allow {
oifname "eno8403" accept
}
chain filter_FWD_internal_post {
}
chain nat_PRE_internal {
jump nat_PREROUTING_POLICIES_pre
jump nat_PRE_internal_pre
jump nat_PRE_internal_log
jump nat_PRE_internal_deny
jump nat_PRE_internal_allow
jump nat_PRE_internal_post
jump nat_PREROUTING_POLICIES_post
}
chain nat_PRE_internal_pre {
}
chain nat_PRE_internal_log {
}
chain nat_PRE_internal_deny {
}
chain nat_PRE_internal_allow {
}
chain nat_PRE_internal_post {
}
chain mangle_PRE_internal {
jump mangle_PREROUTING_POLICIES_pre
jump mangle_PRE_internal_pre
jump mangle_PRE_internal_log
jump mangle_PRE_internal_deny
jump mangle_PRE_internal_allow
jump mangle_PRE_internal_post
jump mangle_PREROUTING_POLICIES_post
}
chain mangle_PRE_internal_pre {
}
chain mangle_PRE_internal_log {
}
chain mangle_PRE_internal_deny {
}
chain mangle_PRE_internal_allow {
}
chain mangle_PRE_internal_post {
}
chain filter_FWD_policy_int_to_ext {
jump filter_FWD_policy_int_to_ext_pre
jump filter_FWD_policy_int_to_ext_log
jump filter_FWD_policy_int_to_ext_deny
jump filter_FWD_policy_int_to_ext_allow
jump filter_FWD_policy_int_to_ext_post
accept
}
chain filter_FWD_policy_int_to_ext_pre {
}
chain filter_FWD_policy_int_to_ext_log {
}
chain filter_FWD_policy_int_to_ext_deny {
}
chain filter_FWD_policy_int_to_ext_allow {
}
chain filter_FWD_policy_int_to_ext_post {
}
chain filter_IN_docker {
jump filter_INPUT_POLICIES_pre
jump filter_IN_docker_pre
jump filter_IN_docker_log
jump filter_IN_docker_deny
jump filter_IN_docker_allow
jump filter_IN_docker_post
jump filter_INPUT_POLICIES_post
accept
}
chain filter_IN_docker_pre {
}
chain filter_IN_docker_log {
}
chain filter_IN_docker_deny {
}
chain filter_IN_docker_allow {
}
chain filter_IN_docker_post {
}
chain nat_POST_docker {
jump nat_POSTROUTING_POLICIES_pre
jump nat_POST_docker_pre
jump nat_POST_docker_log
jump nat_POST_docker_deny
jump nat_POST_docker_allow
jump nat_POST_docker_post
jump nat_POSTROUTING_POLICIES_post
}
chain nat_POST_docker_pre {
}
chain nat_POST_docker_log {
}
chain nat_POST_docker_deny {
}
chain nat_POST_docker_allow {
}
chain nat_POST_docker_post {
}
chain filter_FWD_docker {
jump filter_FORWARD_POLICIES_pre
jump filter_FWD_docker_pre
jump filter_FWD_docker_log
jump filter_FWD_docker_deny
jump filter_FWD_docker_allow
jump filter_FWD_docker_post
jump filter_FORWARD_POLICIES_post
accept
}
chain filter_FWD_docker_pre {
}
chain filter_FWD_docker_log {
}
chain filter_FWD_docker_deny {
}
chain filter_FWD_docker_allow {
oifname "docker0" accept
}
chain filter_FWD_docker_post {
}
chain nat_PRE_docker {
jump nat_PREROUTING_POLICIES_pre
jump nat_PRE_docker_pre
jump nat_PRE_docker_log
jump nat_PRE_docker_deny
jump nat_PRE_docker_allow
jump nat_PRE_docker_post
jump nat_PREROUTING_POLICIES_post
}
chain nat_PRE_docker_pre {
}
chain nat_PRE_docker_log {
}
chain nat_PRE_docker_deny {
}
chain nat_PRE_docker_allow {
}
chain nat_PRE_docker_post {
}
chain mangle_PRE_docker {
jump mangle_PREROUTING_POLICIES_pre
jump mangle_PRE_docker_pre
jump mangle_PRE_docker_log
jump mangle_PRE_docker_deny
jump mangle_PRE_docker_allow
jump mangle_PRE_docker_post
jump mangle_PREROUTING_POLICIES_post
}
chain mangle_PRE_docker_pre {
}
chain mangle_PRE_docker_log {
}
chain mangle_PRE_docker_deny {
}
chain mangle_PRE_docker_allow {
}
chain mangle_PRE_docker_post {
}
}
table ip filter {
chain INPUT {
type filter hook input priority filter; policy accept;
meta l4proto tcp tcp dport 22 # match-set f2b-sshd src counter packets 493 bytes 40856 reject
}
chain DOCKER {
iifname != "docker0" oifname "docker0" meta l4proto tcp ip daddr 172.17.0.2 tcp dport 443 counter packets 0 bytes 0 accept
iifname != "docker0" oifname "docker0" meta l4proto tcp ip daddr 172.17.0.2 tcp dport 22 counter packets 0 bytes 0 accept
}
chain DOCKER-ISOLATION-STAGE-1 {
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
counter packets 379743 bytes 157355335 return
}
chain DOCKER-ISOLATION-STAGE-2 {
oifname "docker0" counter packets 0 bytes 0 drop
counter packets 0 bytes 0 return
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 379714 bytes 157351467 jump DOCKER-USER
counter packets 379719 bytes 157352208 jump DOCKER-ISOLATION-STAGE-1
oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
}
chain DOCKER-USER {
counter packets 379714 bytes 157351467 return
}
}
table ip nat {
chain DOCKER {
iifname "docker0" counter packets 0 bytes 0 return
iifname != "docker0" meta l4proto tcp tcp dport 30443 counter packets 0 bytes 0 dnat to 172.17.0.2:443
iifname != "docker0" meta l4proto tcp tcp dport 30022 counter packets 0 bytes 0 dnat to 172.17.0.2:22
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade
meta l4proto tcp ip saddr 172.17.0.2 ip daddr 172.17.0.2 tcp dport 443 counter packets 0 bytes 0 masquerade
meta l4proto tcp ip saddr 172.17.0.2 ip daddr 172.17.0.2 tcp dport 22 counter packets 0 bytes 0 masquerade
}
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
fib daddr type local counter packets 239473 bytes 18282843 jump DOCKER
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
ip daddr != 127.0.0.0/8 fib daddr type local counter packets 358 bytes 21886 jump DOCKER
}
}