Hi,
I'm currently replacing Rocky Linux 8 on a routerboard in my office by
Debian 13, and I have some trouble getting packet forwarding working
with FirewallD.
Side note 1: to keep things simple, I'm working directly as root in the
examples below.
Side note 2: Yes, I want to use FirewallD. No, I don't want to use
$OTHER_FIREWALL.
Configuration
-------------
The routerboard has two NICs, enp1s0 (192.168.2.251) and enp2s0
(192.168.3.1).
I have setup a sandbox PC with a static 192.168.3.10 address and using
192.168.3.1 as gateway just to test packet forwarding.
Old setup under Rocky Linux 8
-----------------------------
Here's how the default setup looked like under Rocky Linux 8:
# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp1s0 enp2s0
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
I associated the enp1s0 interface with the external zone:
# firewall-cmd --permanent --zone=external --change-interface=enp1s0
The interface is under control of NetworkManager, setting zone to
'external'.
success
# firewall-cmd --reload
success
# firewall-cmd --list-all --zone=external
external (active)
target: default
icmp-block-inversion: no
interfaces: enp1s0
sources:
services: ssh
ports:
protocols:
forward: no
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
And then I associated the enp2s0 interface with the internal zone and
declared it as default:
# firewall-cmd --permanent --zone=internal --change-interface=enp2s0
The interface is under control of NetworkManager, setting zone to
'internal'.
success
# firewall-cmd --set-default-zone=internal
success
# firewall-cmd --reload
success
# firewall-cmd --list-all
internal (active)
target: default
icmp-block-inversion: no
interfaces: enp2s0
sources:
services: cockpit dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
And that was all I had to do. Starting from there I could open a session
on my 192.168.3.10 sandbox host and successfully ping 192.168.3.1 as
well as 192.168.2.1. IP forwarding worked out of the box.
New setup under Debian 13
-------------------------
I wanted to use this same setup under Debian 13. So first I installed
FirewallD:
# apt update && apt install -y firewalld
The service gets started automatically, no need to take care of that.
In Debian's default configuration, the external zone is not associated
to anything:
# firewall-cmd --list-all --zone=external
external
target: default
ingress-priority: 0
egress-priority: 0
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
So I'll associate the enp1s0 interface to that zone:
# firewall-cmd --permanent --zone=external --change-interface=enp1s0
success
# firewall-cmd --reload
success
# firewall-cmd --list-all --zone=external
external (active)
target: default
ingress-priority: 0
egress-priority: 0
icmp-block-inversion: no
interfaces: enp1s0
sources:
services: ssh
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Conversely, I'll associate the enp2s0 interface to the internal zone and
set it as default like I did on my old setup:
# firewall-cmd --permanent --zone=internal --change-interface=enp2s0
success
# firewall-cmd --set-default-zone=internal
success
# firewall-cmd --reload
success
# firewall-cmd --list-all
internal (default, active)
target: default
ingress-priority: 0
egress-priority: 0
icmp-block-inversion: no
interfaces: enp2s0
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
I open a session on my sandbox client with a static 192.168.3.10 IP
address and 192.168.3.1 defined as the gateway. I can ping my
routerboard OK:
$ ping -c 1 -q 192.168.3.1
PING 192.168.3.1 (192.168.3.1) 56(84) bytes of data.
--- 192.168.3.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.387/0.387/0.387/0.000 ms
Unfortunately I can't ping anything on the outside:
$ ping 192.168.2.1
PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
From 192.168.3.1 icmp_seq=1 Packet filtered
From 192.168.3.1 icmp_seq=2 Packet filtered
From 192.168.3.1 icmp_seq=3 Packet filtered
From 192.168.3.1 icmp_seq=4 Packet filtered
^C
--- 192.168.2.1 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3069ms
Any suggestions ?
Cheers from the sunny South of France,
Niki
--
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://www.microlinux.fr/blog
Mail : [email protected]
Tél. : 04 66 63 10 32
Mob. : 06 51 80 12 12
