Contact Us 1-800-596-4880

Enabling Forwarding When Using firewalld

firewalld is an iptables controller that defines rules for persistent network traffic. If you are using firewalld with a Red Hat Enterprise Linux (RHEL) 7.x operating system, you must enable forwarding on the docker0 device. You must also forward any packets being sent from or to the 10.0.0.0/8 subnet.

To Determine if You Are Using firewalld

To determine if your system is using firewalld, run the following command:

systemctl status firewalld.service

If firewalld is installed, this command returns the following:

$ sudo systemctl status firewalld.service
* firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)

If `firewalld is not installed, this command returns an error message.

Enable Forwarding

To enable forwarding on the docker0 device, run the following commands:

firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 1 -o docker0 -j ACCEPT -m comment --comment "docker subnet"

firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 1 -s 10.0.0.0/8 -j ACCEPT -m comment --comment "docker subnet"

To enable forwarding on the 10.0.0.0/8 subnet, run the following commands:

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -s 10.0.0.0/8 -j ACCEPT -m comment --comment "docker subnet"

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -d 10.0.0.0/8 -j ACCEPT -m comment --comment "docker subnet"

Verify Forwarding

To verify that forwarding rules are in place, run the following command:

firewall-cmd --permanent --direct --get-all-rules

The output should look like the following example:

ipv4 filter FORWARD 1 -o docker0 -j ACCEPT -m comment --comment 'docker subnet'
ipv4 filter FORWARD 1 -s 10.0.0.0/8 -j ACCEPT -m comment --comment 'docker subnet'
ipv4 filter INPUT 1 -s 10.0.0.0/8 -j ACCEPT -m comment --comment 'docker subnet'
ipv4 filter INPUT 1 -d 10.0.0.0/8 -j ACCEPT -m comment --comment 'docker subnet'
These rules are node level. This means you must run and verify them on every node, both controller and worker nodes, for Runtime Fabric to work correctly when firewalld is active.