[CentOS] Baffled by firewall rules with a Qemu VM, CentOS 7

Sat Dec 12 03:05:52 UTC 2020
Anthony K <akcentos at anroet.com>

On 12/12/20 8:15 am, Lists wrote:
> I've understood iptables well enough for a long, long time, and although I
> think firewall-cmd is a poor replacement for iptables, I've always been able to
> "get it to work" by comparing output with iptables -L or iptables -S and using
> a direct-rule or two.
>
> And this time, I'm just baffled.
>
> I have a qemu VM running on a host. Postgresql runs on the host, and I'm
> trying to connect to the Postgresql server on the host from the VM.
>
> VM: loco
> Host: tesla
>
> 1) If I turn OFF the firewall on tesla, I have no trouble connecting from loco.
> tesla: systemctl stop firewalld
> loco: psql -U postgres -h 192.168.122.1 # yay! connection!
>
> 2) If I turn ON the firewall on tesla, I can't connect NO MATTER WHAT I DO
> tesla: systemctl start firewalld;
> loco: psql -U postgres -h 192.168.122.1 # Connection refused
>
> <snip>...
>
> There are no REJECT rules not preceded by a wildcard ACCEPT, but I can't
> connect with this config. But simply stopping host (tesla) firewalld allows me
> to connect just fine.
>
I'd run tcpdump on the host where the firewall is deployed to see where 
the packets are coming from:

tcpdump -l -n -i any port 5432  # assuming you are using standard pgsql port

Then compare that with what's in my ruleset to see which rule is blocking.

PS: I'm no longer on CentOS but I believe iptables/tcpdump are the same 
on whichever Linux distro is installed.