I've understood iptables well enough for a long, long time, and although I think firewall-cmd is a poor replacement for iptables, I've always been able to "get it to work" by comparing output with iptables -L or iptables -S and using a direct-rule or two.
And this time, I'm just baffled.
I have a qemu VM running on a host. Postgresql runs on the host, and I'm trying to connect to the Postgresql server on the host from the VM.
VM: loco Host: tesla
1) If I turn OFF the firewall on tesla, I have no trouble connecting from loco. tesla: systemctl stop firewalld loco: psql -U postgres -h 192.168.122.1 # yay! connection!
2) If I turn ON the firewall on tesla, I can't connect NO MATTER WHAT I DO tesla: systemctl start firewalld; loco: psql -U postgres -h 192.168.122.1 # Connection refused
I have tried: tesla# firewall-cmd --zone=public --add-port=5432/tcp tesla# firewall-cmd --add-service=postgresql tesla# firewall-cmd --set-default-zone=trusted; tesla# firewall-cmd --direct --add-rule ipv4 filter LIBVIRT_FWI 0 -j ACCEPT tesla# firewall-cmd --direct --add-rule ipv4 filter LIBVIRT_FWO 0 -j ACCEPT tesla# firewall-cmd --direct --add-rule ipv4 filter LIBVIRT_FWX 0 -j ACCEPT
... and many more things. Literally stumped for a few hours. The output of iptables indicates that I've wildcarded everything:
tesla# iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N LIBVIRT_FWI -N LIBVIRT_FWO -N LIBVIRT_FWX -N LIBVIRT_INP -N LIBVIRT_OUT -A INPUT -j LIBVIRT_INP -A FORWARD -j LIBVIRT_FWX -A FORWARD -j LIBVIRT_FWI -A FORWARD -j LIBVIRT_FWO -A OUTPUT -j LIBVIRT_OUT -A LIBVIRT_FWI -d 192.168.122.0/24 -j ACCEPT -A LIBVIRT_FWI -i virbr0 -j ACCEPT -A LIBVIRT_FWI -j ACCEPT -A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWO -i virbr0 -j ACCEPT -A LIBVIRT_FWO -j ACCEPT -A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT -A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWX -j ACCEPT -A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT -A LIBVIRT_INP -j ACCEPT -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A LIBVIRT_OUT -j ACCEPT -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT -A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT -A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
There are no REJECT rules not preceded by a wildcard ACCEPT, but I can't connect with this config. But simply stopping host (tesla) firewalld allows me to connect just fine.
Any ideas?