Replacing iptables (CentOS 7) with firewalld (Rocky 9)

firewalld configuration is NOT harder; its just different. I’m currently running Rocky 9 as my firewall/router after moving to R9 from CentOS 7. The only somewhat obscure part is to use policies to set up your ingress and egress rules with something like:

firewall-cmd --policy internal-external --add-egress-zone=external --permanent
firewall-cmd --policy internal-external --add-ingress-zone=public --permanent
firewall-cmd --policy internal-external --set-target=ACCEPT --permanent

You then configure zone public for whatever access you need from internal systems to your router/firewall and configure zone external to allow access to any services you expose to the outside world. NAT is already configured/allowed.

You may need to do something like:

firewall-cmd --permanent --zone=external --change-interface=eno2

to get the right NIC into the right zone.

I’ve found firewalld and using firewall-cmd to configure the firewall to be much easier than doing hand edits of iptables. YMMV.

My challenge is that every example of firewalld I’ve seen has been far too simplistic.

A simple NAT gateway is easy. But my network is a little more complicated

In my scenario I have 4 zones (some needing NAT, others that don’t), with a bunch of specialised rules that define the communication between zones, a number of exposed services that need to be DNAT’d so people in the external zone can reach internal resources (some with logging, some without) and finally that pesky “reflection” problem.

Oh, and different rules for IPv6

All in all this takes 88 nft rules to define; 64 for IPv4 and 24 for IPv6.

I have no idea how I’d implement all that with firewalld!

Suggestion: try setting up your current four zones as custom zones in firewalld and build as much of the rule set you can. You’ll probably find that the translation to firewall-cmd instead of nmcli and nft rules is easier than you might expect. I had good luck by setting up some VMs to mimic as much of my network as I needed (use some other subnet than your production network) and played around with firewalld/firewall-cmd there. I ended up with a 10.0.0./24 net that NATed to my 192.168.0.0/24 net and then got to the outside world. If you go this route, broadcast services like DHCP are a pain. I didn’t try setting up port forwarding from the 192-net to a system on the 10-net but that should be possible. May give it a shot.

Well, I’ve done it all in nft now; apparently RH say this is a viable approach ( Message #5 ), so I’ve no need to redo it now! Maybe in 8 years time when RL9 is EOL and I’ll have to work out how RL11 does things

If anyone is interested, I’ve written up my learnings here; nmcli and nft rules and more

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.