-
Notifications
You must be signed in to change notification settings - Fork 271
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Not masquerading loopback is broken #61
Comments
After changing the setting in fw_zone.py, the output is as expected:
Should I write a pull request for that? |
http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-5.html#ss5.1 contains an explanation:
|
https://github.com/t-woerner/firewalld/issues/61 Thanks to Georg Müller to locate this. Also added ! -o lo to rich rule masquerading
Thanks for finding this. Here is the fix: |
When masquerading is enabled, firewalld creates the following entry to not masquerade loopback traffic:
-A POST_public_allow ! -i lo -j MASQUERADE
The problem is, that this rule does not work (at least for me, Fedora 23, linux 4.2.6).
Simple setup to reproduce:
shell 1: nc -v -l 5000
shell 2: nc 127.0.0.1 5000 <<< "foobar"
Output shell 1:
To further investigate the issue, I added a LOG target entry and here it is:
So, the IN property is not set (explanation could be that the packet is created on the host, so it was not received by any interface).
I think the best solution would be to change this to "-A POST_public_allow ! -o lo -j MASQUERADE" (checking destinaion != lo instead of source != lo)
The text was updated successfully, but these errors were encountered: