Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

firewalld support #166

Open
nahil1 opened this issue Jun 20, 2021 · 21 comments
Open

firewalld support #166

nahil1 opened this issue Jun 20, 2021 · 21 comments
Labels
enhancement New feature or request good first issue Good for newcomers help wanted Extra attention is needed investigation-required

Comments

@nahil1
Copy link

nahil1 commented Jun 20, 2021
edited
Loading

The following commands are needed to allow traffic when firewalld is being used.

sudo firewall-cmd --add-service=dhcp
sudo firewall-cmd --add-service=dns
sudo firewall-cmd  --add-masquerade

sudo firewall-cmd -q --direct --add-rule ipv4 nat POSTROUTING 0 -o <ap_iface> -j MASQUERADE
sudo firewall-cmd -q --direct --add-rule ipv4 filter FORWARD 0 -i <internet_iface> -o <ap_iface> -j ACCEPT
sudo firewall-cmd -q --direct --add-rule ipv4 filter FORWARD 0 -i <ap_iface> -o <internet_iface> -m state --state RELATED,ESTABLISHED -j ACCEPT
@nahil1 nahil1 changed the title firewalld blocks dhcp request by default in fedora 34 firewalld support Jun 23, 2021
@Evan-aja Evan-aja mentioned this issue Sep 26, 2021
Open
@lakinduakash lakinduakash added enhancement New feature or request help wanted Extra attention is needed investigation-required labels Dec 27, 2021
@lakinduakash lakinduakash pinned this issue Dec 27, 2021
@Luciogi Luciogi mentioned this issue Mar 27, 2022
Closed
@tubbadu
Copy link

tubbadu commented Mar 28, 2022

what should <ap_iface> and <internet_iface> be substitute with?

@lakinduakash
Copy link
Owner

@tubbadu check the ui dropdowns

@ShrirajHegde ShrirajHegde mentioned this issue Apr 7, 2022
Open
@Luciogi
Copy link
Contributor

Luciogi commented Apr 8, 2022
edited
Loading

Edit : This solution is NOT working, GOTO

Screenshot_20220408_193540

Just add adapter name in variables(wifi_iface and internet_iface[In my case export wifi_iface=wlan0 export internet_iface=wlan0 ]) then execute commands

export wifi_iface=
export internet_iface=
sudo firewall-cmd --add-service=dhcp
sudo firewall-cmd --add-service=dns
sudo firewall-cmd  --add-masquerade

sudo firewall-cmd -q --direct --add-rule ipv4 nat POSTROUTING 0 -o $wifi_iface -j MASQUERADE
sudo firewall-cmd -q --direct --add-rule ipv4 filter FORWARD 0 -i $internet_iface -o $wifi_iface -j ACCEPT
sudo firewall-cmd -q --direct --add-rule ipv4 filter FORWARD 0 -i $wifi_iface -o $internet_iface -m state --state RELATED,ESTABLISHED -j ACCEPT

@lakinduakash
Copy link
Owner

lakinduakash commented Apr 11, 2022
edited
Loading

@Luciogi Thanks I'll add those and test them soon.

@Luciogi
Copy link
Contributor

Luciogi commented Apr 19, 2022

@lakinduakash this solution is not working

@Luciogi
Copy link
Contributor

Luciogi commented Apr 21, 2022
edited
Loading

Working Solution:

I am using Fedora 35 for testing, firewalld has default zone FedoraWorkstation. My approach is enable masquerade in zone trusted and FedoraWorkstation, and add interface ap0 to trusted zone
executing following command block will allow internet access and ip allocation via hotspot

sudo firewall-cmd --zone=FedoraWorkstation --add-masquerade
sudo firewall-cmd --zone=trusted --add-masquerade
sudo firewall-cmd --zone=trusted --add-interface=ap0

Edit: Please test it and give feedback

  • fwd firewall works without any problem

@lakinduakash
Copy link
Owner

Thanks @Luciogi for testing it. Please test someone, currently I don't have a Fedora environment.

@NHellFire
Copy link
Contributor

NHellFire commented Aug 23, 2022
edited
Loading

This will allow clients to connect and have internet access (tested on Ubuntu 22.04 with firewalld 1.1.1) without allowing them access to other services on the host:

firewall-cmd --permanent --new-zone=hotspot
firewall-cmd --permanent --zone=hotspot --add-service=dhcp
firewall-cmd --permanent --zone=hotspot --add-service=dns
firewall-cmd --permanent --zone=hotspot --add-interface=ap0

# Ensure the DNS ports are forwarded
firewall-cmd --permanent --zone=hotspot --add-rich-rule='rule family="ipv4" forward-port port="53" protocol="tcp" to-port="5353" destination address="192.168.12.1"'
firewall-cmd --permanent --zone=hotspot --add-rich-rule='rule family="ipv4" forward-port port="53" protocol="udp" to-port="5353" destination address="192.168.12.1"'

# Change public to whatever zone you've assigned the internet connection to
firewall-cmd --permanent --zone=public --add-masquerade

firewall-cmd --permanent --new-policy hotspot-forwarding
firewall-cmd --permanent --policy hotspot-forwarding --add-ingress-zone hotspot
# Change public to whatever zone you've assigned the internet connection to
firewall-cmd --permanent --policy hotspot-forwarding --add-egress-zone public
# If you want to restrict what ports clients can access on the internet, you can remove this
firewall-cmd --permanent --policy hotspot-forwarding --set-target ACCEPT
# And add specific services instead
#firewall-cmd --permanent --policy hotspot-forwarding --add-service http


firewall-cmd --reload

These rules will persist after a reboot, so you shouldn't need to touch them again unless you want to allow more zones to be used for internet.

@Kirarya-Hotaru Kirarya-Hotaru mentioned this issue Nov 29, 2022
Open
@lxwulf
Copy link

lxwulf commented Feb 1, 2023
edited
Loading

Working Solution:

I am using Fedora 35 for testing, firewalld has default zone FedoraWorkstation. My approach is enable masquerade in zone trusted and FedoraWorkstation, and add interface ap0 to trusted zone executing following command block will allow internet access and ip allocation via hotspot

sudo firewall-cmd --zone=FedoraWorkstation --add-masquerade
sudo firewall-cmd --zone=trusted --add-masquerade
sudo firewall-cmd --zone=trusted --add-interface=ap0

Edit: Please test it and give feedback

  • fwd firewall works without any problem

Sadly, this doesn't work somehow…

Are there some special settings which I missed? I got an IP address with my phone, but no internet connection.

IP of Phone: 192.168.12.13
Gateway of Phone: 192.168.12.1
Gateway of ap0: 192.168.12.1

I have a virtual interface as LAN device, but this shouldn't generate any problems, right?

Ethernet port enp1s0:
IP: 192.168.12.103
Gateway: 192.168.12.1

Normally this would be 192.168.3.3 with Gateway 192.168.3.1
I have internet in my VM, but not on the hotspot. When I missed something to mention just ask, I try to deliver.

Greets LxWulf

Edit: Yes, I use Fedora 37 with the newest updates.

@Luciogi
Copy link
Contributor

Luciogi commented Feb 2, 2023

@lxwulf Are you using Fedora 37 on VM?

@lxwulf
Copy link

lxwulf commented Feb 2, 2023
edited
Loading

@Luciogi Yes, exactly!

It does work with a LAN PCI pass through, but not with virtual devices, at least on my side.

@Luciogi
Copy link
Contributor

Luciogi commented Feb 3, 2023
edited
Loading

@lxwulf I guess, VM can't directly access all wifi card capabilites , It uses bridge or NAT connection coming from Host OS
May be usb wifi adapter might work

@lxwulf
Copy link

lxwulf commented Feb 4, 2023
edited
Loading

@Luciogi Yes, worth trying, but at moment have no USB dongle, but I'll keep this in mind for later.

@tubbadu
Copy link

tubbadu commented Feb 5, 2023

This will allow clients to connect and have internet access (tested on Ubuntu 22.04 with firewalld 1.1.1) without allowing them access to other services on the host:

firewall-cmd --permanent --new-zone=hotspot
firewall-cmd --permanent --zone=hotspot --add-service=dhcp
firewall-cmd --permanent --zone=hotspot --add-service=dns
firewall-cmd --permanent --zone=hotspot --add-interface=ap0

# Ensure the DNS ports are forwarded
firewall-cmd --permanent --zone=hotspot --add-rich-rule='rule family="ipv4" forward-port port="53" protocol="tcp" to-port="5353" destination address="192.168.12.1"'
firewall-cmd --permanent --zone=hotspot --add-rich-rule='rule family="ipv4" forward-port port="53" protocol="udp" to-port="5353" destination address="192.168.12.1"'

# Change public to whatever zone you've assigned the internet connection to
firewall-cmd --permanent --zone=public --add-masquerade

firewall-cmd --permanent --new-policy hotspot-forwarding
firewall-cmd --permanent --policy hotspot-forwarding --add-ingress-zone hotspot
# Change public to whatever zone you've assigned the internet connection to
firewall-cmd --permanent --policy hotspot-forwarding --add-egress-zone public
# If you want to restrict what ports clients can access on the internet, you can remove this
firewall-cmd --permanent --policy hotspot-forwarding --set-target ACCEPT
# And add specific services instead
#firewall-cmd --permanent --policy hotspot-forwarding --add-service http


firewall-cmd --reload

These rules will persist after a reboot, so you shouldn't need to touch them again unless you want to allow more zones to be used for internet.

I'm on Fedora37, and with these settings my android device is "connected without internet access"

@Luciogi
Copy link
Contributor

Luciogi commented Feb 5, 2023

@tubbadu Please test this #166 (comment)

@mxvin
Copy link

mxvin commented Jul 14, 2023

We need proper support for firewalld. Something nice like @NHellFire script translating existing regular iptables rules. For fast and easy way already discussed here, that is masquerade+add ap0 to zones

@KronosTheLate
Copy link

KronosTheLate commented Nov 20, 2023
edited
Loading

On Debian 12 with firewalld enabled, the problem was fixed by only the first three lines. Namely:

sudo firewall-cmd --add-service=dhcp
sudo firewall-cmd --add-service=dns
sudo firewall-cmd  --add-masquerade

But yes, given that firewalld is enabled by default on deveral distros (Including Debian), this should probably be done automatically.

If nothing else, just check if sudo firewall-cmd --state returns running, and if it does, print something during installation along the lines of "You have firewalld running. This may require explicitly adding some rules for allowing network traffic. Please visit if you face issues.

EDIT: Even though I could not connect to the network, I could not use mDNS to resolve the hostname. I ended up disabling firewalld, and expect to be using something that is not as obstructive in the future.

@poopsicles
Copy link

Edit : This solution is NOT working, GOTO

Screenshot_20220408_193540

Just add adapter name in variables(wifi_iface and internet_iface[In my case export wifi_iface=wlan0 export internet_iface=wlan0 ]) then execute commands

export wifi_iface=
export internet_iface=
sudo firewall-cmd --add-service=dhcp
sudo firewall-cmd --add-service=dns
sudo firewall-cmd  --add-masquerade

sudo firewall-cmd -q --direct --add-rule ipv4 nat POSTROUTING 0 -o $wifi_iface -j MASQUERADE
sudo firewall-cmd -q --direct --add-rule ipv4 filter FORWARD 0 -i $internet_iface -o $wifi_iface -j ACCEPT
sudo firewall-cmd -q --direct --add-rule ipv4 filter FORWARD 0 -i $wifi_iface -o $internet_iface -m state --state RELATED,ESTABLISHED -j ACCEPT

this works for me on fedora 39

@poopsicles
Copy link

Working Solution:

I am using Fedora 35 for testing, firewalld has default zone FedoraWorkstation. My approach is enable masquerade in zone trusted and FedoraWorkstation, and add interface ap0 to trusted zone executing following command block will allow internet access and ip allocation via hotspot

sudo firewall-cmd --zone=FedoraWorkstation --add-masquerade
sudo firewall-cmd --zone=trusted --add-masquerade
sudo firewall-cmd --zone=trusted --add-interface=ap0

Edit: Please test it and give feedback

* **fwd** firewall works without any problem

is there a way to make this permanent?
would adding --permanent work?

@Luciogi
Copy link
Contributor

Luciogi commented Jan 11, 2024

is there a way to make this permanent? would adding --permanent work?

No idea, I am not using firewalld and fedora anymore, I forgot whether these commands make permanent rules

@lxwulf
Copy link

lxwulf commented Jan 15, 2024

I use Fedora Linux since version 30, and now I'm on version 39. I can confirm that the firewall-cmd command with option --permanent does work to have permanent settings. After this, you can reload the firewall to take the new settings in => firewall-cmd --reload.

All changes without the --permanent option are temporary and are lost when firewall gets reloaded firewall-cmd --reload or system rebooted.

@somesi somesi mentioned this issue Apr 5, 2024
Open
@lakinduakash lakinduakash added the good first issue Good for newcomers label Sep 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request good first issue Good for newcomers help wanted Extra attention is needed investigation-required
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@NHellFire @lakinduakash @nahil1 @mxvin @lxwulf @tubbadu @KronosTheLate @Luciogi @poopsicles