I cannot find docs on how to enable multicast for firewalld which is the default firewall in RHEL / CentOS 7. Can some enlighten me? FYI: I know how to do it using iptables.
Asked
Active
Viewed 1.7k times
4
-
Well: https://access.redhat.com/solutions/1587673 – U. Windl Aug 03 '21 at 11:45
5 Answers
5
At first I tried this command:
firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 1 -d 224.0.0.18 -j ACCEPT
but it seems that CentOS7 cannot reload direct rules after reboot.
[root@test01-galera02 firewalld]# firewall-cmd --direct --get-all-rules
[root@test01-galera02 firewalld]# firewall-cmd --direct --get-all-rules --permanent
ipv4 filter IN_public_allow 1 -d 224.0.0.18 -j ACCEPT
[root@test01-galera02 firewalld]#
[root@test01-galera02 firewalld]# cat direct.xml
<?xml version="1.0" encoding="utf-8"?>
<direct>
<rule priority="1" table="filter" ipv="ipv4" chain="IN_public_allow">-d 224.0.0.18 -j ACCEPT</rule>
</direct>
[root@test01-galera02 firewalld]# pwd
/etc/firewalld
[root@test01-galera02 firewalld]#
Second, I successfully used this command. firewalld runs fine now on my galera cluster with keepalived on it.
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" destination address="224.0.0.18" protocol value="ip" accept' --permanent
firewall-cmd --reload
Sathyajith Bhat
- 61,504
- 38
- 179
- 264
StefanKaerst
- 191
- 1
- 7
-
+1, but I had to change `protocol value` from `ip` to `2`. Otherwise I was getting `ERROR: INVALID_PROTOCOL: ip`, because `/etc/protocol` has no such name. I used the `2` because the REJECT logs stated `PROTO=2`. – Hi-Angel Sep 14 '19 at 00:08
-
Ah, btw: I did not use anything but the last command `firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" destination address="224.0.0.18" protocol value="ip" accept' --permanent`. I did not even do the `--reload`. I guess modern versions of firewalld handle that themselves. `0.7.1` version is here *(note also, nowadays it's not using iptables by default)*. – Hi-Angel Sep 14 '19 at 00:18
1
IPv6
firewall-cmd --permanent --direct --add-rule ipv6 filter PREROUTING 0 -t raw -m rpfilter --invert -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -d ff00::/8 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 -d ff00::/8 -j ACCEPT
IPv4
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -m udp -p udp -m pkttype --pkt-type multicast -j ACCEPT
1
Variant for IPv4 multicast and Firewalld using rich-rules:
- Define rules:
ALLOW_MULTICAST_RICH_RULE=" rule family=ipv4 destination address=224.0.0.0/4 protocol value=udp accept" ALLOW_IGMP_RICH_RULE=" rule family=ipv4 protocol value=igmp accept" - Apply the rules at runtime:
firewall-cmd --add-rich-rule="$ALLOW_MULTICAST_RICH_RULE" firewall-cmd --add-rich-rule="$ALLOW_IGMP_RICH_RULE" - Add rules permanently (i.e. they will apply after reboot):
firewall-cmd --permanent --add-rich-rule="$ALLOW_MULTICAST_RICH_RULE" firewall-cmd --permanent --add-rich-rule="$ALLOW_IGMP_RICH_RULE"
In addition to CentOS 7, this also works in RHEL/CentOS/Rocky/AlmaLinux 8, in which direct rules are not supported by default:
Note that
firewalldwithnftablesbackend does not support passing customnftablesrules tofirewalld, using the--directoption.
SergA
- 316
- 3
- 5
0
You open this file: /etc/firewalld/direct.xml.
Write:
<?xml version="1.0" encoding="utf-8"?>
<direct>
<rule priority="0" table="filter" ipv="ipv4" chain="OUTPUT">' --out-interface' [ens33] --destination 224.0.0.18 --protocol vrrp -j ACCEPT</rule>
<rule priority="1" table="filter" ipv="ipv4" chain="IN_public_allow">-d 224.0.0.18 -j ACCEPT</rule>
</direct>
Replace [ens33] with your server's port.
Then: firewall-cmd --reload.
Glorfindel
- 4,089
- 8
- 24
- 37
son tran
- 1
0
you open file: /etc/firewalld/direct.xml write:
<?xml version="1.0" encoding="utf-8"?>
<direct>
<rule priority="1" table="filter" ipv="ipv4" chain="IN_public_allow">-d
224.0.0.18 -j ACCEPT</rule>
</direct>
replace ens33 to your server's port then: firewall-cmd --reload
son tran
- 1