Problem setting up a router with PPPoE using NetworkManager and firewalld

vgaetera · January 26, 2021, 3:57am

I use systemd-networkd and firewalld on a Fedora 33 VPS that works as a router.
It’s a bit tricky because policy objects required for zone-to-zone forwarding are available only in the next code branch starting with firewalld-0.9.0 which is supposed to be only in Fedora 34.
So, we need to deal with both rich and direct rules assuming that the default backend is nftables:

WAN_ZONE="external"
WAN_CON="teksavvy"
WAN_IF="teklink"
WAN_IF2="ppp0"
LAN_ZONE="internal"
LAN_CON="tekbridge"
LAN_IF="nm-bridge"
sudo nmcli connection modify id ${WAN_CON} connection.zone ${WAN_ZONE}
sudo nmcli connection down id ${WAN_CON}
sudo nmcli connection up id ${WAN_CON}
sudo nmcli connection modify id ${LAN_CON} connection.zone ${LAN_ZONE}
sudo nmcli connection down id ${LAN_CON}
sudo nmcli connection up id ${LAN_CON}
sudo firewall-cmd --permanent --zone=${WAN_ZONE} --set-target=ACCEPT
sudo firewall-cmd --permanent --zone=${WAN_ZONE} --add-masquerade
sudo firewall-cmd --permanent --zone=${WAN_ZONE} --add-rich-rule="rule protocol value=icmp accept"
sudo firewall-cmd --permanent --zone=${WAN_ZONE} --add-rich-rule="rule protocol value=ipv6-icmp accept"
sudo firewall-cmd --permanent --zone=${WAN_ZONE} --add-rich-rule="rule priority=32767 reject"
sudo firewall-cmd --permanent --zone=${LAN_ZONE} --set-target=ACCEPT
sudo firewall-cmd --permanent --zone=${LAN_ZONE} --add-rich-rule="rule protocol value=icmp accept"
sudo firewall-cmd --permanent --zone=${LAN_ZONE} --add-rich-rule="rule protocol value=ipv6-icmp accept"
sudo firewall-cmd --permanent --zone=${LAN_ZONE} --add-rich-rule="rule priority=32767 reject"
sudo firewall-cmd --permanent --direct --remove-rules ipv4 mangle FORWARD
sudo firewall-cmd --permanent --direct --add-rule ipv4 mangle FORWARD 10 -p tcp --syn -j TCPMSS --clamp-mss-to-pmtu
sudo firewall-cmd --permanent --direct --remove-rules ipv4 filter FORWARD
sudo firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 10 -i lo -j ACCEPT
sudo firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 20 -i ${LAN_IF} -j ACCEPT
sudo firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 30 -i ${WAN_IF} -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT
sudo firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 30 -i ${WAN_IF2} -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT
sudo firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 40 -i ${WAN_IF} -p icmp -m conntrack --ctstate NEW -j ACCEPT
sudo firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 40 -i ${WAN_IF2} -p icmp -m conntrack --ctstate NEW -j ACCEPT
sudo firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 80 -i ${WAN_IF} -m conntrack --ctstate INVALID -j DROP
sudo firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 80 -i ${WAN_IF2} -m conntrack --ctstate INVALID -j DROP
sudo firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 90 -j REJECT --reject-with icmp-admin-prohibited
sudo firewall-cmd --permanent --direct --remove-rules ipv6 mangle FORWARD
sudo firewall-cmd --permanent --direct --add-rule ipv6 mangle FORWARD 10 -p tcp --syn -j TCPMSS --clamp-mss-to-pmtu
sudo firewall-cmd --permanent --direct --remove-rules ipv6 filter FORWARD
sudo firewall-cmd --permanent --direct --add-rule ipv6 filter FORWARD 10 -i lo -j ACCEPT
sudo firewall-cmd --permanent --direct --add-rule ipv6 filter FORWARD 20 -i ${LAN_IF} -j ACCEPT
sudo firewall-cmd --permanent --direct --add-rule ipv6 filter FORWARD 30 -i ${WAN_IF} -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT
sudo firewall-cmd --permanent --direct --add-rule ipv6 filter FORWARD 30 -i ${WAN_IF2} -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT
sudo firewall-cmd --permanent --direct --add-rule ipv6 filter FORWARD 40 -i ${WAN_IF} -p ipv6-icmp -m conntrack --ctstate NEW -j ACCEPT
sudo firewall-cmd --permanent --direct --add-rule ipv6 filter FORWARD 40 -i ${WAN_IF2} -p ipv6-icmp -m conntrack --ctstate NEW -j ACCEPT
sudo firewall-cmd --permanent --direct --add-rule ipv6 filter FORWARD 80 -i ${WAN_IF} -m conntrack --ctstate INVALID -j DROP
sudo firewall-cmd --permanent --direct --add-rule ipv6 filter FORWARD 80 -i ${WAN_IF2} -m conntrack --ctstate INVALID -j DROP
sudo firewall-cmd --permanent --direct --add-rule ipv6 filter FORWARD 90 -j REJECT --reject-with icmp6-adm-prohibited
sudo firewall-cmd --reload

Topic		Replies	Views
Firewall configuration Ask Fedora	25	1701	June 5, 2019
Unable to Secure Computer and Have Relentless Man in the Middle Ask Fedora	11	3591	July 28, 2020
Fedora 35: share a network connection with NetworkManager & firewalld Ask Fedora f35 , firewalld , networkmanager	7	3725	November 30, 2021
DNS settings not working in Fedora 31 Ask Fedora f31	19	10148	January 25, 2020
Wireless rarely connects Ask Fedora f31 , networking , desktop	0	562	April 18, 2020

Problem setting up a router with PPPoE using NetworkManager and firewalld

Related topics