firewall-cmd - problem with permit/deny ssh
by bekini from LinuxQuestions.org on (#542GG)
Hi
I am 'playing' with a firewall on Fedora 32, try to understand how it works and have some trouble!
I have a host A with a VPN wg0(192.168.10.1) connection to host B VPN wg0(192.168.10.2) with a firewall and a connection to my home network: IF enp0s3(10.0.2.15) .
Host C IF enp0s3(172.16.29.252) on my home network
I want to control' what's coming through the VPN, want to allow ssh to a giving host
it works fine for allowing/denying ssh to host B, and I can log in to it.
For accessing the ssh Host C I make a rich rule masquerade" and I can log in to Host C - good
From host A I can ping' host B(192.168.10.2) and Host C(192.168.10.1)
When I look in log files I see the log from rule 90"
But I can't see the log from rule 100" ?? This is my problem I can't understand why I don't see this in my log!
If I remove the masquerade rule I can't log in to host C
If I close firewall I can log in to host C
Help will be appreciated!
dmz (active)
target: default
icmp-block-inversion: no
interfaces: wg0
sources: 192.168.10.0/24
services:
ports:
protocols: icmp
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule priority=90 family=ipv4 source address=192.168.10.1 destination address=192.168.10.0/24 service name=ssh log prefix="----- ssh access fw host" level=debug accept
rule priority=100 family=ipv4 source address=192.168.10.1 destination address=172.16.29.252 service name=ssh log prefix="----- ssh access ext" level=debug accept
[root@fed32-sdp-fw ~]#
[root@localhost ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule priority="500" family="ipv4" source address="192.168.10.1" destination address="172.16.29.252" masquerade
[root@localhost ~]#
I am 'playing' with a firewall on Fedora 32, try to understand how it works and have some trouble!
I have a host A with a VPN wg0(192.168.10.1) connection to host B VPN wg0(192.168.10.2) with a firewall and a connection to my home network: IF enp0s3(10.0.2.15) .
Host C IF enp0s3(172.16.29.252) on my home network
I want to control' what's coming through the VPN, want to allow ssh to a giving host
it works fine for allowing/denying ssh to host B, and I can log in to it.
For accessing the ssh Host C I make a rich rule masquerade" and I can log in to Host C - good
From host A I can ping' host B(192.168.10.2) and Host C(192.168.10.1)
When I look in log files I see the log from rule 90"
But I can't see the log from rule 100" ?? This is my problem I can't understand why I don't see this in my log!
If I remove the masquerade rule I can't log in to host C
If I close firewall I can log in to host C
Help will be appreciated!
dmz (active)
target: default
icmp-block-inversion: no
interfaces: wg0
sources: 192.168.10.0/24
services:
ports:
protocols: icmp
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule priority=90 family=ipv4 source address=192.168.10.1 destination address=192.168.10.0/24 service name=ssh log prefix="----- ssh access fw host" level=debug accept
rule priority=100 family=ipv4 source address=192.168.10.1 destination address=172.16.29.252 service name=ssh log prefix="----- ssh access ext" level=debug accept
[root@fed32-sdp-fw ~]#
[root@localhost ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule priority="500" family="ipv4" source address="192.168.10.1" destination address="172.16.29.252" masquerade
[root@localhost ~]#