Fedora 30 Firewalld and two interfaces

I am running Fedora 30 - 5.2.13-200.fc30.x86_64 with an Intel I217-V ( rev 05 ) , the NIC comes up as eno1 and it is coming up as the following:

ā€“ IFCONFIG - display

eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.150 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::730f:36ab:6606:659a prefixlen 64 scopeid 0x20
ether 44:8a:5b:26:d2:83 txqueuelen 1000 (Ethernet)
RX packets 16116 bytes 1479587 (1.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10606 bytes 2932640 (2.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 20 memory 0xf7d00000-f7d20000

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 1949 bytes 1160319 (1.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1949 bytes 1160319 (1.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

tun0: flags=81<UP,POINTOPOINT,RUNNING> mtu 1500
inet 192.168.1.152 netmask 255.255.255.255 destination 192.168.1.151
inet6 fe80::c2ee:3d48:38d:da2c prefixlen 64 scopeid 0x20
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 6 bytes 576 (576.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
ether 52:54:00:9f:5d:a6 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

ā€“ netstat -rn

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eno1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eno1
192.168.1.151 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0

firewall-cmd --list-all

trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: eno1 tun0
sources:
services: cockpit dhcpv6-client ssh
ports: 9090/tcp 5909/tcp
protocols:
masquerade: yes
forward-ports: port=5909:proto=tcp:toport=5909:toaddr=
source-ports:
icmp-blocks:
rich rules:

I verified IP forwarding is active and proxy_arp is active, I turned on tcpdump for the interface -i eno1 port 5909 which is the listening port of the application and i see it coming into the box but never routing to tun0 , i turned on tcpdump -i tun0 , nothing. Is this a bug or am I missing something stupid.
Any help would be much appreciated.

Scott

1 Like

Your default route points to the wired connection:

Also note, that net-tools is obsolete, you should use iproute instead:

1 Like