Ipforwarding Between Interfaces And Firewall Rules
Hello,
I have a machine I am running CentOS/RHEL 8 on. there are two interfaces and I want to forward all traffic between those interfaces (for the src and dst in the subnet a wireless device is on).
One interface is connected to a switch, WAN side. The other ethernet port has an access point, connected wired.
I did turn on ipforwarding, and thought I needed only two firewall rules.
sysctl -w net.ipv4.ip_forward=1
firewall-cmd –direct –add-rule ipv4 filter FORWARD 0 -o eno1 -i enp0s20u4u1 -j ACCEPT
firewall-cmd –direct –add-rule ipv4 filter FORWARD 0 -o enp0s20u4u1 -i eno1 -j ACCEPT
However, when I try to do a DNS lookup, it looks like it is being blocked/stopped by the firewall, because when I stop the firewall, it just seems to work. With the firewall up and running, however I can ping an ip address.
for example; if I do “ping www.google.com” I get a “ping www.google.com: Name or service not known” If I use an IP address
(from www.google.com), it just works.
what am I missing (probably a rule in the firewall?)
thanks,
Ron
4 thoughts on - Ipforwarding Between Interfaces And Firewall Rules
Sometimes seeing the traffic flow reveals what’s really going on. To that end, run command below on the firewall box: tcpdump -i any port 53
or port 5353 Then on the client, query http://www.google.com
On firewall: tcpdump -l -n -i any port 53 or port 5353 —
On client: query http://www.google.com
from what I heard,
nftables doesn’t support forward rules yet, until RHEL/CentOS 8.5 at this time it can be “resolved” using iptables as the firewall backend, but not nftables (which is not ideal, but … ) .
Ron
If true does it means that its already in CentOS Stream 8? Just guessing …
—
Leon