How to allow FORWARDing with firewalld on a Fedora 19 router

Question

I've just installed Fedora 19 and I'm using firewalld instead of iptables, but I'm having difficulty interpretting the new terminology.

I have 2 NICs. One is specificed ZONE="internal" and the other "external" in the ifcfg-* files, I have set ipv4.forwarding = 1 in /etc/sysctl.conf, and run firewall-cmd --zone=external --add-masquerade

However, when I attempt to route from any machine on the internal network I'm getting Destination Host Prohibited and of course if I disable firewalld the error goes away but then I lose masquerading.

In iptables there was a ruleset called FORWARD, but in firewalld I can only find --add-port-forward which isn't the same thing.

How do I allow routing in firewalld ?

... I made some progress ...

# firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ens4 -o eth1 -j ACCEPT

Will allow routing, but its not persistent, and doesn't allow the --permanent option. How do I make this persistent accross reboots?

Answer 1

Finally, I found the answer ...

# cat /etc/firewalld/direct.xml
<?xml version="1.0" encoding="utf-8"?>
<direct>
   [ <rule ipv="ipv4" table="filter" chain="FORWARD_direct" priority="0"> -i eth0 -o eth1 -j ACCEPT </rule> ]
</direct>

This feature appeared in firewalld-0.3.4-1.fc19 but there is no firewall-cmd support yet, and the man page was omitted, but it WORKS

Eventually found it in the following mailing list http://www.spinics.net/linux/fedora/fedora-security/msg01688.html

Answer 2

As of Fedora25, this can be solved using the Firewalld Rich Rules. Firewalld Rich Rules are similar to iptables DSL, but promise much more flexibility.

They also follow chaining similar to iptables. More details can be found here:- https://fedoraproject.org/wiki/Features/FirewalldRichLanguage#firewalld_Rich_Language