Re: Baffled by firewall rules with a Qemu VM, CentOS 7

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



> I've understood iptables well enough for a long, long time, and although I
> think firewall-cmd is a poor replacement for iptables, I've always been
> able to
> "get it to work" by comparing output with iptables -L or iptables -S and
> using
> a direct-rule or two.
>
> And this time, I'm just baffled.
>
> I have a qemu VM running on a host. Postgresql runs on the host, and I'm
> trying to connect to the Postgresql server on the host from the VM.
>
> VM: loco
> Host: tesla
>
> 1) If I turn OFF the firewall on tesla, I have no trouble connecting from
> loco.
> tesla: systemctl stop firewalld
> loco: psql -U postgres -h 192.168.122.1 # yay! connection!
>
> 2) If I turn ON the firewall on tesla, I can't connect NO MATTER WHAT I DO
> tesla: systemctl start firewalld;
> loco: psql -U postgres -h 192.168.122.1 # Connection refused
>
>
> I have tried:
> tesla# firewall-cmd --zone=public --add-port=5432/tcp
> tesla# firewall-cmd  --add-service=postgresql
> tesla# firewall-cmd --set-default-zone=trusted;
> tesla# firewall-cmd --direct --add-rule ipv4 filter LIBVIRT_FWI 0  -j
> ACCEPT
> tesla# firewall-cmd --direct --add-rule ipv4 filter LIBVIRT_FWO 0  -j
> ACCEPT
> tesla# firewall-cmd --direct --add-rule ipv4 filter LIBVIRT_FWX 0  -j
> ACCEPT
>
> ... and many more things. Literally stumped for a few hours. The output of
> iptables indicates that I've wildcarded everything:
>
> tesla# iptables -S
> -P INPUT ACCEPT
> -P FORWARD ACCEPT
> -P OUTPUT ACCEPT
> -N LIBVIRT_FWI
> -N LIBVIRT_FWO
> -N LIBVIRT_FWX
> -N LIBVIRT_INP
> -N LIBVIRT_OUT
> -A INPUT -j LIBVIRT_INP
> -A FORWARD -j LIBVIRT_FWX
> -A FORWARD -j LIBVIRT_FWI
> -A FORWARD -j LIBVIRT_FWO
> -A OUTPUT -j LIBVIRT_OUT
> -A LIBVIRT_FWI -d 192.168.122.0/24 -j ACCEPT
> -A LIBVIRT_FWI -i virbr0 -j ACCEPT
> -A LIBVIRT_FWI -j ACCEPT
> -A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate
> RELATED,ESTABLISHED -j ACCEPT
> -A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
> -A LIBVIRT_FWO -i virbr0 -j ACCEPT
> -A LIBVIRT_FWO -j ACCEPT
> -A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
> -A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
> -A LIBVIRT_FWX -j ACCEPT
> -A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
> -A LIBVIRT_INP -j ACCEPT
> -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
> -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
> -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
> -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
> -A LIBVIRT_OUT -j ACCEPT
> -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
> -A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
> -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
> -A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
>
> There are no REJECT rules not preceded by a wildcard ACCEPT, but I can't
> connect with this config. But simply stopping host (tesla) firewalld
> allows me
> to connect just fine.
>
> Any ideas? _______________________________________________

I can only guess because I've never used firewalld but, can it be that
firewalld also changes something else and not only the iptables config?

Did you try to apply the iptable rules by hand for a test?

Simon

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux