[Freedombox-discuss] Please help: Freedombox as a router, "not working" anymore (details inside)

Sunil Mohan Adapa sunil at medhas.org
Mon Oct 8 19:59:42 BST 2018 

On Monday 08 October 2018 02:32 AM, Daddy wrote:
[...]
> I was eventually able to get the DHCP working (by manually allowing the
> service in firewalld), but not the connection to the internet.
> 
> *My network setup:*
> <WAN> -- <Modem> -- <Freedombox> -- <LAN>
> 
> <LAN> is connected to Fbx through two separate interfaces - wired and
> wireless, both set as internal zone in firewall.
> LAN connections are both using "Shared" ipv4 setting; no settings were
> adjusted.
> 
> *Freedombox System:*
> Debian GNU/Linux buster/sid and FreedomBox version 0.39.0.
> 
> I'm not filling bug report, as this may have been caused by something
> I've chosen during the manual system upgrade - I'm just not able to
> pinpoint it yet.
> 

Hello,

Your iptables-save output shows that you are not using firewalld.
However, for the commands you have executed you indeed have firewalld
running.

A possible explanation is that you have setup separate iptable scripts
other than firewalld. First firewalld starts then the offending script
starts wiping out the firewalld chains. See below for a sample of how
the nat table should look like with firewalld. To test this theory,
restart firewalld, (observe different output for iptables-save),
disconnect/connect shared network connections, check if the problem is
resolved. To fix, remove the offending script.

Also, you seem to have docker containers running. Docker seems to insert
its own chains (but not sure if it wipes iptables). Docker is usually
started after firewalld when running under systemd[1]. So, things should
be okay unless you restart firewalld. To properly fix this you may want
to explore and setup firewalld rich rules[2] and ask docker to not touch
iptables.

Links:

1)
https://success.docker.com/article/why-am-i-having-network-problems-after-firewalld-is-restarted
2) https://fedoraproject.org/wiki/Features/FirewalldRichLanguage

-- 
Sunil

# Generated by iptables-save v1.6.2 on Mon Oct  8 18:36:16 2018
*nat
:PREROUTING ACCEPT [3162:964206]
:INPUT ACCEPT [157:8009]
:OUTPUT ACCEPT [492:32257]
:POSTROUTING ACCEPT [28:905]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_external - [0:0]
:POST_external_allow - [0:0]
:POST_external_deny - [0:0]
:POST_external_log - [0:0]
:POST_internal - [0:0]
:POST_internal_allow - [0:0]
:POST_internal_deny - [0:0]
:POST_internal_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_external - [0:0]
:PRE_external_allow - [0:0]
:PRE_external_deny - [0:0]
:PRE_external_log - [0:0]
:PRE_internal - [0:0]
:PRE_internal_allow - [0:0]
:PRE_internal_deny - [0:0]
:PRE_internal_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o eth0 -g POST_external
-A POSTROUTING_ZONES -o tun+ -g POST_internal
-A POSTROUTING_ZONES -g POST_external
-A POST_external -j POST_external_log
-A POST_external -j POST_external_deny
-A POST_external -j POST_external_allow
-A POST_external_allow ! -o lo -j MASQUERADE
-A POST_internal -j POST_internal_log
-A POST_internal -j POST_internal_deny
-A POST_internal -j POST_internal_allow
-A PREROUTING_ZONES -i eth0 -g PRE_external
-A PREROUTING_ZONES -i tun+ -g PRE_internal
-A PREROUTING_ZONES -g PRE_external
-A PRE_external -j PRE_external_log
-A PRE_external -j PRE_external_deny
-A PRE_external -j PRE_external_allow
-A PRE_internal -j PRE_internal_log
-A PRE_internal -j PRE_internal_deny
-A PRE_internal -j PRE_internal_allow
COMMIT
# Completed on Mon Oct  8 18:36:17 2018

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/freedombox-discuss/attachments/20181008/406478b0/attachment.sig>

More information about the Freedombox-discuss mailing list