Ask Your Question

Firewalld Turn off IP6 Masquerading

asked 2018-07-26 12:35:09 -0500

saltydog gravatar image

updated 2018-07-26 13:02:32 -0500

I am using Fedora 28 (Server Edition) kernel Linux 4.17.7-200.fc28.x86_64 with firewalld 0.5.3. Per the docs, for ipv4, I moved the public interface to the public zone and enabled masquerading:

 firewall-cmd --change-zone=eth0 --zone=public --permanent
 firewall-cmd --zone=public --add-masquerade --permanent

I reloaded and it worked as planned for ipv4. Also per the firewall-cmd man page for the above command it says in part "Enable IPv4 masquerade for zone ... For IPv6 masquerading, please use the rich language"; However ip6tables -S -t nat shows in part:

 -A POST_public_allow ! -o lo -j MASQUERADE
 -A POST_public_allow ! -o lo -j MASQUERADE

So it enabled masquerading on ipv6 anyway. How do I turn this off permanently?

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2018-07-26 13:01:38 -0500

saltydog gravatar image

updated 2018-07-26 13:09:01 -0500

The answer I found is to do the reverse of what the firewall-cmd man page suggests:

firewall-cmd --zone=public --remove-masquerade --permanent
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address= invert="True" masquerade' --permanent

Note that firewall-cmd --zone=public --query-masquerade will return "no" even though it is on and does work. My purpose is to use ipv6 global addresses internally so NAT won't be needed.

edit flag offensive delete link more

answered 2018-11-15 13:22:19 -0500

dimitrisk gravatar image

Thank you so much! Had the exact same problem, just fixed it using your solution.

I've been running a Fedora server as (among other things) a VPN server, since F26. Followed firewalld instructions back when I set it up and it worked as intended - --add-masquerade added it for IPv4 only, and IPv6 used the globally-routable addresses assigned to the VPN clients.

This changed after the dnf system-upgrade to F28/firewalld 0.5.5, masquerading was now applied to both address families. I "like" the new consistent behavior, but it seems we now have a doc bug.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-07-26 12:35:09 -0500

Seen: 343 times

Last updated: Nov 15 '18