[Podman] Re: Networking / CNI and firewalld (iptables)

On 26. May 2020, at 23:28, Gordon Messmer <gordon.messmer(a)gmail.com&gt; wrote: On 5/26/20 2:15 PM, Felder, Christian wrote: > >>> Sorry. You’re right and I mixed things up. Indeed there is a new rule in PREROUTING and this is the rule which bypasses the INPUT chain. >>> I cannot explicitly configure ports on the INPUT chain as the packets are forwarded to the CNI-HOSTPORT-DNAT target directly. > > $ iptables -L -nv > Chain FORWARD (policy ACCEPT 9 packets, 488 bytes) > pkts bytes target prot opt in out source destination > 0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED > 0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0 > 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0 > 0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable > 0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Your FORWARD rules only govern traffic that crosses the "virbr0" interface specifically, so anything that doesn't uses the default "ACCEPT" policy. Set your policy to DENY, or add a REJECT rule that matches all packets at the end of that chain.

_______________________________________________ Podman mailing list -- podman(a)lists.podman.io To unsubscribe send an email to podman-leave(a)lists.podman.io