Join Log in
Score:0
Daniel avatar Server

rhel 9, firewalld(nftables backend), libvirt and custom bridges, masquerading not working

cn flag
Daniel

I have a remote server with one network interface, which has a public IP address (enp5s0). I've created an isolated network as follows:

<network>
  <name>LAN-bridge</name>
  <uuid>64XXXXXXXXXXXXXXXXXXXXXXXX</uuid>
  <bridge name="lanbrdige" stp="on" delay="0"/>
  <mac address="52:54:00:XX:XX:XX"/>
  <domain name="LAN-bridge"/>
  <ip address="192.168.200.1" netmask="255.255.255.0">
    <dhcp>
      <range start="192.168.200.128" end="192.168.200.254"/>
    </dhcp>
  </ip>
</network>

I've also created a routed network as follows:

<network>
  <name>WAN-bridge-zoned</name>
  <uuid>521XXXXXXXXXXXXXXXXXXXXXXXXXX</uuid>
  <forward dev="enp5s0" mode="route">
    <interface dev="enp5s0"/>
  </forward>
  <bridge name="wanbridge-zoned" stp="on" delay="0" zone="libvirt-public"/>
  <mac address="52:54:00:c0:ac:22"/>
  <domain name="WAN-bridge-zoned"/>
  <ip address="192.168.10.1" netmask="255.255.255.0">
  </ip>
</network>

and the custom zone libvirt-public has been created as follows:

<?xml version="1.0" encoding="utf-8"?>
<zone target="ACCEPT">
  <short>libvirt-public</short>
  <description>  custom libvirt-public zone   </description>
  <service name="dhcp"/>
  <service name="dns"/>
  <service name="ssh"/>
  <service name="tftp"/>
  <protocol value="icmp"/>
  <protocol value="tcp"/>
  <protocol value="udp"/>
  <rule priority="32767">
    <reject/>
  </rule>
  <forward/>

resulting in:

firewall-cmd --zone=libvirt-public --list-all
libvirt-public (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: wanbridge-zoned
  sources: 
  services: dhcp dns ssh tftp
  ports: 
  protocols: icmp tcp udp
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule priority="32767" reject

a custom policy has been created to enable zone-to-zone traffic with:

firewall-cmd --new-policy wanbrg_to_public --permanent
firewall-cmd --permanent --policy wanbrg_to_public --add-ingress-zone libvirt-public
firewall-cmd --permanent --policy wanbrg_to_public --add-egress-zone public
firewall-cmd --permanent --policy wanbrg_to_public --set-target ACCEPT

resulting in:

wanbrg_to_public (active)
  priority: -1
  target: ACCEPT
  ingress-zones: libvirt-public
  egress-zones: public
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

and finally masquerading has been enabled on the public zone with

firewall-cmd --zone=public --add-masquerade --permanent

firewall-cmd has been reloaded and afaik this should allow me to have vms with a network interface on the WAN-bridge-zoned network using that interface IP as default gateway being masqueraded and able to reach the internet being masqueraded by the public interface, eventually I will need to also add port-forward to specific addresses on the public-libvirt interface/zone and I'd like to do that with firewalld

the firewalld backend is nftables.

this doesn't seem to be working tho, a pfsense firewall with an interface and a static IP on the WAN-bridge-zoned network cannot ping outside

332
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.