On 12/12/20 8:15 am, Lists wrote: > I've understood iptables well enough for a long, long time, and although I > think firewall-cmd is a poor replacement for iptables, I've always been able to > "get it to work" by comparing output with iptables -L or iptables -S and using > a direct-rule or two. > > And this time, I'm just baffled. > > I have a qemu VM running on a host. Postgresql runs on the host, and I'm > trying to connect to the Postgresql server on the host from the VM. > > VM: loco > Host: tesla > > 1) If I turn OFF the firewall on tesla, I have no trouble connecting from loco. > tesla: systemctl stop firewalld > loco: psql -U postgres -h 192.168.122.1 # yay! connection! > > 2) If I turn ON the firewall on tesla, I can't connect NO MATTER WHAT I DO > tesla: systemctl start firewalld; > loco: psql -U postgres -h 192.168.122.1 # Connection refused > > <snip>... > > There are no REJECT rules not preceded by a wildcard ACCEPT, but I can't > connect with this config. But simply stopping host (tesla) firewalld allows me > to connect just fine. > I'd run tcpdump on the host where the firewall is deployed to see where the packets are coming from: tcpdump -l -n -i any port 5432 # assuming you are using standard pgsql port Then compare that with what's in my ruleset to see which rule is blocking. PS: I'm no longer on CentOS but I believe iptables/tcpdump are the same on whichever Linux distro is installed.