systemctl status firewalld.service
Enable Forwarding When Using firewalld
firewalld
is an iptables controller that defines rules for persistent network traffic.
If you are using firewalld
with a Red Hat Enterprise Linux (RHEL) 7.x operating system, you must enable forwarding on the docker0 device.
You must also forward any packets being sent from or to the 10.0.0.0/8 subnet.
To Determine if You Are Using firewalld
To determine if your system is using firewalld, run the following command:
If firewalld is installed, this command returns the following:
$ sudo systemctl status firewalld.service * firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: inactive (dead) Docs: man:firewalld(1)
If `firewalld is not installed, this command returns an error message.
Enable Forwarding
To enable forwarding on the docker0 device, run the following commands:
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 1 -o docker0 -j ACCEPT -m comment --comment "docker subnet" firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 1 -s 10.0.0.0/8 -j ACCEPT -m comment --comment "docker subnet"
To enable forwarding on the 10.0.0.0/8 subnet, run the following commands:
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -s 10.0.0.0/8 -j ACCEPT -m comment --comment "docker subnet" firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -d 10.0.0.0/8 -j ACCEPT -m comment --comment "docker subnet"
Verify Forwarding
To verify that forwarding rules are in place, run the following command:
firewall-cmd --permanent --direct --get-all-rules
The output should look like the following example:
ipv4 filter FORWARD 1 -o docker0 -j ACCEPT -m comment --comment 'docker subnet' ipv4 filter FORWARD 1 -s 10.0.0.0/8 -j ACCEPT -m comment --comment 'docker subnet' ipv4 filter INPUT 1 -s 10.0.0.0/8 -j ACCEPT -m comment --comment 'docker subnet' ipv4 filter INPUT 1 -d 10.0.0.0/8 -j ACCEPT -m comment --comment 'docker subnet'
These rules are node level. This means you must run and verify them on every node, both controller and worker nodes, for Runtime Fabric to work correctly when firewalld is active. |