ipv4.method shared and non permanet firewall rules
- From: Marcel Dopita <m rcel cz>
- To: networkmanager-list gnome org
- Subject: ipv4.method shared and non permanet firewall rules
- Date: Wed, 15 Feb 2017 11:19:28 +0100
Hi,
I run NetworkManager-1.4.0-14.el7_3.x86_64 (latest CentOS) on a device
connected to the internet via PPPoE/VDSL. I prefer not to lower MTU
inside my network so I need to take advantage of the
"--clamp-mss-to-pmtu" feature.
I use "firewall-offline-cmd --direct --add-passthrough ipv4 -I FORWARD
-p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" (in
kickstart file) which works (verified using "tcpdump -i ppp0 | grep -i
mss") but only once I manually reload/restart firewalld after a device
boot.
I use "ipv4.method shared" for my local network. After inspecting
"iptables-save" and syslog, I noticed that NetworkManager creates extra
runtime iptables rules.
Feb 12 20:48:47 example.com NetworkManager[558]: <info>
[1486928927.1988] Executing: /usr/sbin/iptables --table filter --insert
INPUT --in-interface br0 --protocol tcp --destination-port 53 --jump
ACCEPT
Feb 12 20:48:47 example.com NetworkManager[558]: <info>
[1486928927.2124] Executing: /usr/sbin/iptables --table filter --insert
INPUT --in-interface br0 --protocol udp --destination-port 53 --jump
ACCEPT
Feb 12 20:48:47 example.com NetworkManager[558]: <info>
[1486928927.2264] Executing: /usr/sbin/iptables --table filter --insert
INPUT --in-interface br0 --protocol tcp --destination-port 67 --jump
ACCEPT
Feb 12 20:48:47 example.com NetworkManager[558]: <info>
[1486928927.2399] Executing: /usr/sbin/iptables --table filter --insert
INPUT --in-interface br0 --protocol udp --destination-port 67 --jump
ACCEPT
Feb 12 20:48:47 example.com NetworkManager[558]: <info>
[1486928927.2540] Executing: /usr/sbin/iptables --table filter --insert
FORWARD --in-interface br0 --jump REJECT
Feb 12 20:48:47 example.com NetworkManager[558]: <info>
[1486928927.2660] Executing: /usr/sbin/iptables --table filter --insert
FORWARD --out-interface br0 --jump REJECT
Feb 12 20:48:47 example.com NetworkManager[558]: <info>
[1486928927.2778] Executing: /usr/sbin/iptables --table filter --insert
FORWARD --in-interface br0 --out-interface br0 --jump ACCEPT
Feb 12 20:48:47 example.com NetworkManager[558]: <info>
[1486928927.2903] Executing: /usr/sbin/iptables --table filter --insert
FORWARD --source 192.168.1.0/255.255.255.0 --in-interface br0 --jump
ACCEPT
Feb 12 20:48:47 example.com NetworkManager[558]: <info>
[1486928927.3021] Executing: /usr/sbin/iptables --table filter --insert
FORWARD --destination 192.168.1.0/255.255.255.0 --out-interface br0
--match state --state ESTABLISHED,RELATED --jump ACCEPT
Feb 12 20:48:47 example.com NetworkManager[558]: <info>
[1486928927.3156] Executing: /usr/sbin/iptables --table nat --insert
POSTROUTING --source 192.168.1.0/255.255.255.0 ! --destination
192.168.1.0/255.255.255.0 --jump MASQUERADE
One thing is getting the "--clamp-mss-to-pmtu" to work with this rules.
I have very little experience with this so any help is appreciated. I
guess it's related more to firewalld but it works in passthrough when
NetworkManager is not involved.
It confuses me that NetworkManager creates runtime rules that get lost
after firewalld reload/restart. It's it unsafe? Or is it that
"ipv4.method shared" is meant for temporary networks (like hotspot
access) only? I didn't read/find anything that. (I like how it is both
simple and extendable via the dnsmasq-shared.d)
Best regards,
Marcel Dopita
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]