Red Hat Bugzilla – Bug 842321
nat requires manual adjustment
Last modified: 2013-02-15 07:16:55 EST
Description of problem: when i add interface to external zone, firewalld does not create rules jumping from POSTROUTING_ZONES to POST_ZONE_external in nat table. in sources i can only see handling of INPUT and FORWARD in filter table, but no POSTROUTING in nat table. it actually applies to all zones, not just to external, but i only need postrouting in external atm. so i have to manually add rules like -A POSTROUTING_ZONES -o eth1 -j POST_ZONE_external -A POSTROUTING_ZONES -o ppp0 -j POST_ZONE_external and i guess they will be lost after reboot Version-Release number of selected component (if applicable): firewalld-0.2.5-1.fc17.noarch How reproducible: add interface to external zone sudo iptable-save | grep _ZONES Actual results: see jump from POSTROUTING to POSTROUTING_ZONES, but no jump from POSTROUTING_ZONES to POST_ZONE_external on the other hand FORWARD and INPUT have jumps both to *_ZONES and from *_ZONES Expected results: jumps from POSTROUTING_ZONES like with INPUT and FORWARD
s/iptable-save/iptables-save/
Fixed in GIT: http://git.fedorahosted.org/git/?p=firewalld.git;a=commit;h=39b04060c52997cb276502108b9ec17e163fc8ca
i see for some reason i need to add -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu to forward chain in mangle table so, while you're at it, it would be nice to also add forward to mangle and may be even shortcut parameter for this rule like for masquerade
Fedora-18 has had this fixed since firewalld-0.2.6-1.fc18. This will most likely not be fixed in Fedora-17.