Sent from my iPhone > On Dec 12, 2020, at 07:00, centos-request at centos.org wrote: > > Message: 51 > Date: Fri, 11 Dec 2020 13:15:43 -0800 > From: Lists <lists at benjamindsmith.com> > To: CentOS mailing list <centos at centos.org> > Subject: [CentOS] Baffled by firewall rules with a Qemu VM, CentOS 7 > Message-ID: <2155552.iZASKD2KPV at tesla.effortlessis.com> > Content-Type: text/plain; charset="us-ascii" > > I've understood iptables well enough for a long, long time, and although I > think firewall-cmd is a poor replacement for iptables, I've always been able to > "get it to work" by comparing output with iptables -L or iptables -S and using > a direct-rule or two. > > And this time, I'm just baffled. > > I have a qemu VM running on a host. Postgresql runs on the host, and I'm > trying to connect to the Postgresql server on the host from the VM. > > VM: loco > Host: tesla > > 1) If I turn OFF the firewall on tesla, I have no trouble connecting from loco. > tesla: systemctl stop firewalld > loco: psql -U postgres -h 192.168.122.1 # yay! connection! > > 2) If I turn ON the firewall on tesla, I can't connect NO MATTER WHAT I DO > tesla: systemctl start firewalld; > loco: psql -U postgres -h 192.168.122.1 # Connection refused > > > I have tried: > tesla# firewall-cmd --zone=public --add-port=5432/tcp > tesla# firewall-cmd --add-service=postgresql > tesla# firewall-cmd --set-default-zone=trusted; > tesla# firewall-cmd --direct --add-rule ipv4 filter LIBVIRT_FWI 0 -j ACCEPT > tesla# firewall-cmd --direct --add-rule ipv4 filter LIBVIRT_FWO 0 -j ACCEPT > tesla# firewall-cmd --direct --add-rule ipv4 filter LIBVIRT_FWX 0 -j ACCEPT > > ... and many more things. Literally stumped for a few hours. The output of > iptables indicates that I've wildcarded everything: > > tesla# iptables -S > -P INPUT ACCEPT > -P FORWARD ACCEPT > -P OUTPUT ACCEPT > -N LIBVIRT_FWI > -N LIBVIRT_FWO > -N LIBVIRT_FWX > -N LIBVIRT_INP > -N LIBVIRT_OUT > -A INPUT -j LIBVIRT_INP > -A FORWARD -j LIBVIRT_FWX > -A FORWARD -j LIBVIRT_FWI > -A FORWARD -j LIBVIRT_FWO > -A OUTPUT -j LIBVIRT_OUT > -A LIBVIRT_FWI -d 192.168.122.0/24 -j ACCEPT > -A LIBVIRT_FWI -i virbr0 -j ACCEPT > -A LIBVIRT_FWI -j ACCEPT > -A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate > RELATED,ESTABLISHED -j ACCEPT > -A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable > -A LIBVIRT_FWO -i virbr0 -j ACCEPT > -A LIBVIRT_FWO -j ACCEPT > -A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT > -A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable > -A LIBVIRT_FWX -j ACCEPT > -A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT > -A LIBVIRT_INP -j ACCEPT > -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT > -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT > -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT > -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT > -A LIBVIRT_OUT -j ACCEPT > -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT > -A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT > -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT > -A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT > > There are no REJECT rules not preceded by a wildcard ACCEPT, but I can't > connect with this config. But simply stopping host (tesla) firewalld allows me > to connect just fine. > > Any ideas? > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: signature.asc > Type: application/pgp-signature > Size: 488 bytes > Desc: This is a digitally signed message part. > URL: <http://lists.centos.org/pipermail/centos/attachments/20201211/ce3074f7/attachment-0001.sig> How do you have SELinux set?