FirewallD/IPtables forwarding Between Interfaces

We recently acquired a redundant wireless modem at the office, I quickly realized that it would cause issues with several programs already established since it took over DHCP and changed our subnet. So I set up Named & DHCPD to maintain the subnet as it was and everything has been running smoothly so far. What I’m having problems doing is setting up our intranet (eno1) to be forwarded to the redundancy modem (eno2). I had successfully set it up shortly after the modem was set up, but realized the changes were runtime & lost when I updated & rebooted the server.

Granted that wasn’t entirely bad, because when forwarding we lost access to the VPN even though the redundant modem is connected to the primary & as long as internet is available, all traffic goes through our ISP modem. The ISP has the redundant modem locked down so I am unable to perform any port forwarding to bypass this.

What I’m trying to do is determine the exact commands needed to re-establish the forwarding between eno1 & eno2. So that I can’t write a script that will automatically forward traffic when our landline isp connection drops. I was using IPTables when I first got it set up, but have been unsuccessful at replicating it since the restart. I have attempted to use FirewallD direct rules to set up postrouting w/ masquerade & forwarding with no luck. And I have also resorted to going back to IPTables but have also had no luck.

After numerous google searches I have become desperate & now ask for help.

Before it’s said, yes ipforwarding is on in sysctl. I currently have both interfaces in the same zone. My latest attempt consisted of the following commands:

firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o eno2 -j MASQUERADE

firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eno1 -o emo2 -j ACCEPT

firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eno2 -o eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT

Both runtime and permeant were used with no success. Any advice or guidance would be greatly appreciated.

1 Like

Check your firewalld version, backend and runtime configuration:

rpm -q firewalld
sudo grep -e ^FirewallBackend= /etc/firewalld/firewalld.conf
sudo iptables-save
sudo nft list ruleset

I’ve never had to use direct rules with firewall-cmd to get forwarding/NAT to work for my interfaces. I’ve honestly kept them in different zones and works well as long as the zone as masquerading on. For example, the LAN interface stays on the internal zone while the interface that does the NAT (aka connected to the internet) goes into the external zone. It also allows me to easily set what interfaces get what firewall rule, and then use rich rules for forwarding when necessary. See the below examples from my lab:

# enp0s3 is my "internet", the external zone as masquerading turned on
[root@router ~]# nmcli con mod enp0s3 connection.zone external
# enp0s8 is my LAN interface, the internal zone works for me.
[root@router ~]# nmcli con mod enp0s8 connection.zone internal
[root@router ~]# nmcli con up enp0s3
[root@router ~]# nmcli con up enp0s8
# Check my zones...
[root@router ~]# firewall-cmd --list-all --zone=external
external (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s3
  sources:
  services: ssh
  ports:
  protocols:
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

[root@router ~]# firewall-cmd --list-all --zone=internal
internal (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s8
  sources:
  services: ssh dns
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

[root@router ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:c6:58:d3 brd ff:ff:ff:ff:ff:ff
    inet 10.100.0.182/24 brd 10.100.0.255 scope global dynamic noprefixroute enp0s3
       valid_lft 21194sec preferred_lft 21194sec
    inet6 fe80::d257:7933:babf:72c1/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:89:7c:49 brd ff:ff:ff:ff:ff:ff
    inet 192.168.51.254/23 brd 192.168.51.255 scope global noprefixroute enp0s8
       valid_lft forever preferred_lft forever
    inet6 fe80::21f3:3116:2d4f:b28b/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
[root@router ~]# ip r
default via 10.100.0.1 dev enp0s3 proto dhcp metric 100
10.100.0.0/24 dev enp0s3 proto kernel scope link src 10.100.0.182 metric 100
192.168.50.0/23 dev enp0s8 proto kernel scope link src 192.168.51.254 metric 101

# Verify on a client that they can access the internet
[root@localhost ~]# ip a s enp0s3
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:34:91:73 brd ff:ff:ff:ff:ff:ff
    inet 192.168.50.10/23 brd 192.168.51.255 scope global dynamic noprefixroute enp0s3
       valid_lft 21583sec preferred_lft 21583sec
    inet6 fe80::5b56:aab9:a598:d93/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
[root@localhost ~]# ip r
default via 192.168.51.254 dev enp0s3 proto dhcp metric 100
192.168.50.0/23 dev enp0s3 proto kernel scope link src 192.168.50.10 metric 100
[root@localhost ~]# ping -c 3 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=116 time=28.9 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=116 time=21.9 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=116 time=24.6 ms

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 77ms
rtt min/avg/max/mdev = 21.863/25.097/28.859/2.883 ms

See if this works for you.

Kk, I’ll split the zones up and give that a shot.

Version: firewalld firewalld-0.7.5-2.fc31.noarch

I do know the FirewallD.conf has no rules atm. During my attempts today after the rest of the office left, was making attempts and then clearing them to try and track the process so I could duplicate it later.

Will check IPTables & nft tomorrow. Just jumped into Cockpit through the VPN on my phone to grab the version.

I would also like to add I’m running Fedora Server, unsure if that impacts things at all though.

1 Like

Sorry for the delay getting back to this. I split the interfaces between two zones and enabled masquerade on the zone w/ the external connection. But this did not forward the connection from eno1 (internal) to eno2 (external).

I disabled masquerade on the zone w/ eno1 assigned to it w/ masquerade enabled on the zone w/ eno2 and also no success. I then attempted again direct rules between the two and it also was unsuccessful.

Sorry for the slow response for you as well. I checked everything and nothing stands out to be causing an issue. Could there be any settings that I should check in NetworkManager perhaps?

Since the server does also host the DHCP and Bind, could there be something there that I missed?

Well, our internet on the main ISP modem went down & went through everything again in a rush this time… I found the issue. I failed to adjust the default gateway on the interface, once that was correct the traffic immediately started forwarding over to the other interface. Thank you @vgaetera & @nazunalika for the helpful advise and ways to look deeper into the firewalld system!

1 Like