I have a CentOS 7 machine that I am trying to enable FirewallD on to make it a little more secure than it is now. It currently is used as a router between 11 different subnets that are configured on a single interface, and a second interface to allow external traffic to VPN in. I have followed several guides to setting up FirewallD on the internet and nothing seems to get through except pings. Below is my current config.
firewall-cmd --zone=internal --list-all
internal
interfaces: eth0
sources: 192.168.0.0/16
services: adws dhcpv6-client dns http https ipp-client kerberos ldap ldaps mdns ms-gc ms-gc-ssl ms-wbt msrpc mssql ntp samba samba-client smtp ssh
ports: 49152-65535/tcp 49152-65535/udp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
firewall-cmd --zone=public --list-all
public (active)
interfaces: eth1
sources:
services: dhcpv6-client ssh
ports: 81/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 0 -i eth1 -p tcp --dport 1723 -j ACCEPT
ipv4 filter INPUT 0 -p gre -j ACCEPT
ipv4 filter POSTROUTING 0 -t nat -o eth1 -j MASQUERADE
ipv4 filter FORWARD 0 -i ppp+ -o eth1 -j ACCEPT
ipv4 filter FORWARD 0 -i eth1 -o ppp+ -j ACCEPT
ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:50:56:33:c8:b0 brd ff:ff:ff:ff:ff:ff
inet 192.168.20.1/24 brd 192.168.20.255 scope global ens160:1
valid_lft forever preferred_lft forever
inet 192.168.33.1/24 brd 192.168.33.255 scope global ens160:2
valid_lft forever preferred_lft forever
inet 192.168.10.1/24 brd 192.168.10.255 scope global ens160:3
valid_lft forever preferred_lft forever
inet 192.168.25.1/24 brd 192.168.25.255 scope global ens160:4
valid_lft forever preferred_lft forever
inet 192.168.55.1/24 brd 192.168.55.255 scope global ens160:5
valid_lft forever preferred_lft forever
inet 192.168.18.1/24 brd 192.168.18.255 scope global ens160:6
valid_lft forever preferred_lft forever
inet 192.168.88.1/24 brd 192.168.88.255 scope global ens160:7
valid_lft forever preferred_lft forever
inet 192.168.137.1/24 brd 192.168.137.255 scope global ens160:8
valid_lft forever preferred_lft forever
inet 192.168.181.1/24 brd 192.168.181.255 scope global ens160:9
valid_lft forever preferred_lft forever
inet 192.168.182.1/24 brd 192.168.182.255 scope global ens160:10
valid_lft forever preferred_lft forever
inet 192.168.26.1/24 brd 192.168.26.255 scope global ens160:11
valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:50:56:8b:62:3d brd ff:ff:ff:ff:ff:ff
inet 172.16.0.10/24 brd 172.16.0.255 scope global dynamic ens192
valid_lft 4718sec preferred_lft 4718sec
The VPN rules work fine and I can hit the management page on at 172.16.0.10:81, but everything on eth0 will not get any packets through other than icmp. Let me know if you would like more details.
Edit: I've also tried moving eth0 to the trusted zone, which allowed traffic then, so I know it's not an interface configuration error.
Edit 2: Through further testing, I've discovered that the CentOS machine accepts direct connections for the allowed services (e.g. ssh, dns), but will not route traffic to destinations on other subnets like it would if the firewall was off.
After uninstalling FirewallD and downloading and installing the iptables-services pkg to attempt this with just iptables, and successfully configuring the FORWARD chain to route traffic correctly, I reevaluated the FirewallD configuration for --direct and noticed the one line I was missing.
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eth0 -o eth0 -j ACCEPT
firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 0 -i eth1 -p tcp --dport 1723 -j ACCEPT
ipv4 filter INPUT 0 -p gre -j ACCEPT
ipv4 filter POSTROUTING 0 -t nat -o eth1 -j MASQUERADE
ipv4 filter FORWARD 0 -i ppp+ -o eth1 -j ACCEPT
ipv4 filter FORWARD 0 -i eth1 -o ppp+ -j ACCEPT
ipv4 filter FORWARD 0 -i eth0 -o eth0 -j ACCEPT