Reputation: 73
Issue with firewalld blocking traffic between two servers (Fedora) - K8s and Cilium
I'm struggling with firewalld on Fedora and could use some help troubleshooting an issue.
Scenario: I have two servers:
compute-07 (IP: 10.20.0.16 on eno2) compute-08 (IP: 10.20.0.17 on eno2) There’s a pod running on compute-07 with IP 10.0.1.233 that needs to communicate with a service on compute-08 on port 30935 over eno2.
Issue: When firewalld is disabled, everything works fine.
When firewalld is enabled, the traffic is blocked, I am using K8s with Cilium as CNI.
Logs (dmesg) show the packet being REJECTED:
Feb 21 09:46:22 compute-07 kernel: filter_FWD_public_REJECT: IN=lxc253080dad5a0 OUT=eno2 MAC=c2:9f:bd:15:ff:66:76:29:d6:9d:d5:6c:08:00
SRC=10.0.1.233 DST=10.20.0.17 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=13728 DF PROTO=TCP SPT=40793 DPT=30935 WINDOW=64860 RES=0x00 SYN URGP=0 MARK=0x21b10f00
I cannot reach compute-08 from compute-07 on port 30935:
nc -zv 10.20.0.17 30935
Ncat: TIMEOUT.
However, compute-08 can successfully connect to compute-07 on the same port:
nc -zv 10.20.0.16 30935
Ncat: Connected to 10.20.0.16:30935.
Firewalld configuration on compute-08:
Active Zones:
⋊> root@compute-08 ⋊> ~ firewall-cmd --get-active-zones
internal
interfaces: eno2
public (default)
interfaces: eno1
trusted
interfaces: lo
Allowed Ports in Internal Zone:
firewall-cmd --zone=internal --list-ports
22/tcp 53/tcp 443/tcp 2376/tcp 2379-2380/tcp 3022/tcp 4240/tcp 4244/tcp 4245/tcp 4250/tcp 4251/tcp 6060/tcp 6061/tcp 6062/tcp 6443/tcp 9099/tcp 9100/tcp 9345/tcp 9796/tcp 9878/tcp 9879/tcp 9890/tcp 9891/tcp 9893/tcp 9901/tcp 9962/tcp 9963/tcp 9964/tcp 10050/tcp 10250/tcp 10254/tcp 30000-32767/tcp 53/udp 6081/udp 8472/udp 30000-32767/udp 51871/udp
Firewalld configuration on compute-07:
Active Zones:
firewall-cmd --get-active-zones
internal
interfaces: eno2
public (default)
interfaces: eno1
trusted
interfaces: lo
Allowed Ports in Internal Zone:
firewall-cmd --zone=internal --list-ports
22/tcp 53/tcp 443/tcp 2376/tcp 2379-2380/tcp 3022/tcp 4240/tcp 4244/tcp 4245/tcp 4250/tcp 4251/tcp 6060/tcp 6061/tcp 6062/tcp
6443/tcp 9099/tcp 9100/tcp 9345/tcp 9796/tcp 9878/tcp 9879/tcp 9890/tcp 9891/tcp 9893/tcp 9901/tcp 9962/tcp 9963/tcp 9964/tcp
10050/tcp 10250/tcp 10254/tcp 30000-32767/tcp 53/udp 6081/udp 8472/udp 30000-32767/udp 51871/udp
What I’ve Tried:
- Checked both servers' firewall configurations – port ranges seem open.
- Verified that firewalld is the issue by disabling it (everything works when it's off).
- Confirmed that compute-08 can connect to compute-07, but not vice versa.
Upvotes: 0
Views: 66
Answers (0)
Related Questions
- Unable to forward traffic to (rootless) podman container with firewalld
- How to make Docker container see real user IP?
- ingress and egress traffic between pods in different namespaces
- Fedora 35 firewalld add port and service problem
- Firewalld And Container Published Ports
- detecting installer iptables and firewalld with if conditions / bash