* nftables equivalent for iptable rules.
@ 2021-04-28 21:12 R C
2021-04-28 23:09 ` Eric Garver
0 siblings, 1 reply; 3+ messages in thread
From: R C @ 2021-04-28 21:12 UTC (permalink / raw)
To: netfilter
Hello,
I have a machine I am running RHEL 8 on. there are two interfaces and I
want to forward all traffic between those interfaces (for the src and
dst in the subnet a wireless device is on).
One interface is connected to a switch, WAN side. The other ethernet
port has an access point, connected wired.
I did turn on ipforwarding, and thought I needed only two firewall rules.
sysctl -w net.ipv4.ip_forward=1
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -o eno1 -i
enp0s20u4u1 -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -o enp0s20u4u1 -i
eno1 -j ACCEPT
However, when I try to do a DNS lookup, it looks like it is being
blocked/stopped by the firewall, because when I stop the firewall, it
just seems to work. With the firewall up and running, however I can ping
an ip address.
for example; if I do "ping www.google.com" I get a "ping
www.google.com: Name or service not known" If I use an IP address
(from www.google.com), it just works.
from what I understand is that iptables lets traffic through that way,
but bftables does not. One solution suggested was to change the
firewalld backend to iptables, which works, but since at some point I'd
need to have it work with the nftables back end, I might as well look
into that now.
So; how do I set up the firewal effectvely with the same result as
with iptables?
thanks,
Ron
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: nftables equivalent for iptable rules.
2021-04-28 21:12 nftables equivalent for iptable rules R C
@ 2021-04-28 23:09 ` Eric Garver
2021-04-28 23:20 ` R C
0 siblings, 1 reply; 3+ messages in thread
From: Eric Garver @ 2021-04-28 23:09 UTC (permalink / raw)
To: R C; +Cc: netfilter
On Wed, Apr 28, 2021 at 03:12:14PM -0600, R C wrote:
> Hello,
>
>
> I have a machine I am running RHEL 8 on. there are two interfaces and I want
> to forward all traffic between those interfaces (for the src and dst in the
> subnet a wireless device is on).
>
> One interface is connected to a switch, WAN side. The other ethernet port
> has an access point, connected wired.
>
> I did turn on ipforwarding, and thought I needed only two firewall rules.
>
>
> sysctl -w net.ipv4.ip_forward=1
> firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -o eno1 -i
> enp0s20u4u1 -j ACCEPT
> firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -o enp0s20u4u1 -i
> eno1 -j ACCEPT
>
>
> However, when I try to do a DNS lookup, it looks like it is being
> blocked/stopped by the firewall, because when I stop the firewall, it just
> seems to work. With the firewall up and running, however I can ping an ip
> address.
Makes sense. firewalld is using the nftables backend and you're adding
direct iptables rules. The packet must pass through both iptables and
nftables. The forwarding between interfaces is not enabled in nftables
(firewalld).
> for example; if I do "ping www.google.com" I get a "ping www.google.com:
> Name or service not known" If I use an IP address (from www.google.com),
> it just works.
>
> from what I understand is that iptables lets traffic through that way, but
> bftables does not. One solution suggested was to change the firewalld
> backend to iptables, which works, but since at some point I'd need to have
> it work with the nftables back end, I might as well look into that now.
IMO, you have two choices:
1. upgrade to a newer firewalld (v0.9.0 or later) that has native
forward filtering
- https://firewalld.org/2020/04/intra-zone-forwarding
- https://firewalld.org/2020/09/policy-objects-introduction
- these features should appear in RHEL-8.5
2. Use the firewalld iptables backend
- set FirewallBackend=iptables in /etc/firewalld/firewalld.conf
Any other solution will be out-of-band of firewalld and will likely
break in the future.
> So; how do I set up the firewal effectvely with the same result as with
> iptables?
There is a tool called iptables-translate [1] that can do a rough
translation. However, firewalld does not support adding direct nftables
rules. So you would have to inject the rules out-of-band of firewalld -
which is not recommended.
Hope that helps.
Eric.
[1]:
https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: nftables equivalent for iptable rules.
2021-04-28 23:09 ` Eric Garver
@ 2021-04-28 23:20 ` R C
0 siblings, 0 replies; 3+ messages in thread
From: R C @ 2021-04-28 23:20 UTC (permalink / raw)
To: Eric Garver, netfilter
On 4/28/21 5:09 PM, Eric Garver wrote:
> On Wed, Apr 28, 2021 at 03:12:14PM -0600, R C wrote:
>> Hello,
>>
>>
>> I have a machine I am running RHEL 8 on. there are two interfaces and I want
>> to forward all traffic between those interfaces (for the src and dst in the
>> subnet a wireless device is on).
>>
>> One interface is connected to a switch, WAN side. The other ethernet port
>> has an access point, connected wired.
>>
>> I did turn on ipforwarding, and thought I needed only two firewall rules.
>>
>>
>> sysctl -w net.ipv4.ip_forward=1
>> firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -o eno1 -i
>> enp0s20u4u1 -j ACCEPT
>> firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -o enp0s20u4u1 -i
>> eno1 -j ACCEPT
>>
>>
>> However, when I try to do a DNS lookup, it looks like it is being
>> blocked/stopped by the firewall, because when I stop the firewall, it just
>> seems to work. With the firewall up and running, however I can ping an ip
>> address.
> Makes sense. firewalld is using the nftables backend and you're adding
> direct iptables rules. The packet must pass through both iptables and
> nftables. The forwarding between interfaces is not enabled in nftables
> (firewalld).
ah wait, I also saw a msg from you on the firewalld list where I asked
the same question
>> for example; if I do "ping www.google.com" I get a "ping www.google.com:
>> Name or service not known" If I use an IP address (from www.google.com),
>> it just works.
>>
>> from what I understand is that iptables lets traffic through that way, but
>> bftables does not. One solution suggested was to change the firewalld
>> backend to iptables, which works, but since at some point I'd need to have
>> it work with the nftables back end, I might as well look into that now.
> IMO, you have two choices:
>
> 1. upgrade to a newer firewalld (v0.9.0 or later) that has native
> forward filtering
> - https://firewalld.org/2020/04/intra-zone-forwarding
> - https://firewalld.org/2020/09/policy-objects-introduction
> - these features should appear in RHEL-8.5
>
> 2. Use the firewalld iptables backend
> - set FirewallBackend=iptables in /etc/firewalld/firewalld.conf
>
> Any other solution will be out-of-band of firewalld and will likely
> break in the future.
Ok, so it is better for me to wait until rhel 8.5 is out, 8.4 beta is
out now I believe, and use the iptables backend until then
>
>> So; how do I set up the firewal effectvely with the same result as with
>> iptables?
> There is a tool called iptables-translate [1] that can do a rough
> translation. However, firewalld does not support adding direct nftables
> rules. So you would have to inject the rules out-of-band of firewalld -
> which is not recommended.
I tried to play with that, on a test machine, I noticed that didn't work
well.
>
> Hope that helps.
> Eric.
it does, thanks.
Ron
>
> [1]:
> https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-04-28 23:20 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-28 21:12 nftables equivalent for iptable rules R C
2021-04-28 23:09 ` Eric Garver
2021-04-28 23:20 ` R C
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.