On a Linux Centos7, I have some traffic that is routed with static routes from one interface to another.
I did notice that with firewalld activated, both interfaces added in a zone, and nothing allowed in this zone, all the traffic is still routed without any restriction.
I tried to configure ip_forward=0 : then the traffic was not routed anymore.
Then I added FORWARD rules in firewalld direct.xml : the traffic was routed and filtered.
My questions are :
- Does ip_forward kernel setting "bypass" firewalld?
- Why is it explained on various forums that ip_forward is mandatory to route traffic from one interface to another, if using an iptable FORWARD works with this setting disabled?
I found very few explanations on the relations between firewalld and kernel ip_forward, and I would like to understand what I'm missing here
EDIT : masquerade is enabled on the firewalld zone
EDIT2 : I did other tests, and it looks like this is not about ip_filter setting, but the masquerade. I was tricked by the fact that "firewall-cmd --reload" force ip_forward to 1.
Here is how to reproduce my case:
Fresh Centos7 OS. Configuration of two interfaces eth1 and eth2 with ip adresses X and Y
-----------------> @X CENTOS @Y -----------------> @Z -------
dst_IP = A dst_IP = A
src_IP = B dst_IP = B
edit /etc/firewalld/zones/TEST.xml, add the two interfaces, activate masquerade.
add a route as following :
Destination Gateway GenMask
A Z 255.255.255.255
Then activate ip forward an deactivate rp_filter :
sysctl net.ipv4.ip_forward=1
sysctl net.ipv4.conf.eth1.rp_filter=2
sysctl net.ipv4.conf.eth2.rp_filter=2
In this setup, paquets are transferred to @Z, but there is no rule in firewalld configured to accept them, and I don't understand why
