Difficulty with Firewalld Blocking Traffic in Absence of IPTABLES Data

Question

I have noticed that Firewalld is actively blocking incoming and outgoing connections, which is causing disruptions in my network communication. However, upon checking the system, I discovered that no explicit IPTABLES rules are set. This is puzzling to me as I expected Firewalld to rely on IPTABLES for rule enforcement.

To further investigate, I have verified that Firewalld service is running and enabled on my system. I have also confirmed that the default Firewalld zone is correctly set and that there are no custom zone configurations interfering with the traffic. Additionally, I have reviewed the Firewalld logs, but I haven't found any relevant errors or warnings that could shed light on the issue.

I would greatly appreciate any suggestions or insights into why Firewalld might be blocking traffic in the absence of explicit IPTABLES rules.

You can understand from the below output, already few services only actively opened

[linadmin@vwaapcon01]$ sudo firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160 ens192 ens224
  sources:
  services: cockpit dhcpv6-client ssh
  ports:
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
[linadmin@vwaapcon01]$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

What distribution and version of Linux are you using? Most modern Linux use nftables not iptables (but the iptables command usually shows nftables rules) — symcbean, Jun 26 '23 at 10:31

score 0 · Answer 1 · answered Jun 26 '23 at 08:08

0

There may simply be a network firewall or security group active outside of the host that restricts traffic, regardless of the absence/presence/configuration of any host based firewall.
Alternatively your system and firewalld may be using the nftables backend and then inspecting rules with iptables may not give a complete/correct picture of any hostbased firewall rules that exist outside of the scope of the user-friendly Firewalld frontend and you'd need to use nft list ruleset or similar to see those.

answered Jun 26 '23 at 08:08

HBruijn

77,029
24
135
201

The command ```nft list ruleset``` executed successfully. However, my assumption was that iptables and firewalls act solely as frontend tools for interacting with nftables. I had believed that iptables or similar tools could retrieve data from nftables and present it in a user-friendly format, regardless of the tool that created the data. – UME Jun 27 '23 at 17:39

Difficulty with Firewalld Blocking Traffic in Absence of IPTABLES Data

1 Answers1