On Monday 08 October 2018 02:32 AM, Daddy wrote: [...] > I was eventually able to get the DHCP working (by manually allowing the > service in firewalld), but not the connection to the internet. > > *My network setup:* > <WAN> -- <Modem> -- <Freedombox> -- <LAN> > > <LAN> is connected to Fbx through two separate interfaces - wired and > wireless, both set as internal zone in firewall. > LAN connections are both using "Shared" ipv4 setting; no settings were > adjusted. > > *Freedombox System:* > Debian GNU/Linux buster/sid and FreedomBox version 0.39.0. > > I'm not filling bug report, as this may have been caused by something > I've chosen during the manual system upgrade - I'm just not able to > pinpoint it yet. >
Hello, Your iptables-save output shows that you are not using firewalld. However, for the commands you have executed you indeed have firewalld running. A possible explanation is that you have setup separate iptable scripts other than firewalld. First firewalld starts then the offending script starts wiping out the firewalld chains. See below for a sample of how the nat table should look like with firewalld. To test this theory, restart firewalld, (observe different output for iptables-save), disconnect/connect shared network connections, check if the problem is resolved. To fix, remove the offending script. Also, you seem to have docker containers running. Docker seems to insert its own chains (but not sure if it wipes iptables). Docker is usually started after firewalld when running under systemd[1]. So, things should be okay unless you restart firewalld. To properly fix this you may want to explore and setup firewalld rich rules[2] and ask docker to not touch iptables. Links: 1) https://success.docker.com/article/why-am-i-having-network-problems-after-firewalld-is-restarted 2) https://fedoraproject.org/wiki/Features/FirewalldRichLanguage -- Sunil # Generated by iptables-save v1.6.2 on Mon Oct 8 18:36:16 2018 *nat :PREROUTING ACCEPT [3162:964206] :INPUT ACCEPT [157:8009] :OUTPUT ACCEPT [492:32257] :POSTROUTING ACCEPT [28:905] :OUTPUT_direct - [0:0] :POSTROUTING_ZONES - [0:0] :POSTROUTING_ZONES_SOURCE - [0:0] :POSTROUTING_direct - [0:0] :POST_external - [0:0] :POST_external_allow - [0:0] :POST_external_deny - [0:0] :POST_external_log - [0:0] :POST_internal - [0:0] :POST_internal_allow - [0:0] :POST_internal_deny - [0:0] :POST_internal_log - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_external - [0:0] :PRE_external_allow - [0:0] :PRE_external_deny - [0:0] :PRE_external_log - [0:0] :PRE_internal - [0:0] :PRE_internal_allow - [0:0] :PRE_internal_deny - [0:0] :PRE_internal_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j POSTROUTING_direct -A POSTROUTING -j POSTROUTING_ZONES_SOURCE -A POSTROUTING -j POSTROUTING_ZONES -A POSTROUTING_ZONES -o eth0 -g POST_external -A POSTROUTING_ZONES -o tun+ -g POST_internal -A POSTROUTING_ZONES -g POST_external -A POST_external -j POST_external_log -A POST_external -j POST_external_deny -A POST_external -j POST_external_allow -A POST_external_allow ! -o lo -j MASQUERADE -A POST_internal -j POST_internal_log -A POST_internal -j POST_internal_deny -A POST_internal -j POST_internal_allow -A PREROUTING_ZONES -i eth0 -g PRE_external -A PREROUTING_ZONES -i tun+ -g PRE_internal -A PREROUTING_ZONES -g PRE_external -A PRE_external -j PRE_external_log -A PRE_external -j PRE_external_deny -A PRE_external -j PRE_external_allow -A PRE_internal -j PRE_internal_log -A PRE_internal -j PRE_internal_deny -A PRE_internal -j PRE_internal_allow COMMIT # Completed on Mon Oct 8 18:36:17 2018
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Freedombox-discuss mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/freedombox-discuss
