WeaveDNS is blocked by firewall RHEL7

[joserivca]

I having 2 servers with containers using weave , that works fine when my firewall is inactive
but when is up, i cant make ping between contairnes,
i made this iptables rule: iptables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp -m udp--dport 53 -j ACCEPT,cause weaveDns is using this port?

and when i see whe logs (docker logs weave)

INFO: 2016/04/19 21:39:57.672953 Discovered local MAC de:ad:a7:e9:8e:a5
INFO: 2016/04/19 22:05:01.421956 Discovered local MAC 46:72:a1:94:e6:9c
INFO: 2016/04/19 22:12:26.922323 Discovered remote MAC d6:fa:3d:05:84:79 at e6:54:37:ee:1a:c5(pmbrklnxd02)
INFO: 2016/04/19 22:12:29.892178 Discovered remote MAC 2a:1a:ed:dd:7a:55 at e6:54:37:ee:1a:c5(pmbrklnxd02)
INFO: 2016/04/19 22:27:23.565026 Discovered local MAC c2:5b:bd:34:1f:49
INFO: 2016/04/19 22:37:37.726727 Expired MAC c2:5b:bd:34:1f:49 at 92:e8:bb:13:32:78(pmbrklnxd01)
INFO: 2016/04/19 22:45:54.261759 overlay_switch ->[e6:54:37:ee:1a:c5(pmbrklnxd02)] fastdp timed out waiting for vxlan heartbeat
INFO: 2016/04/19 22:45:54.262785 overlay_switch ->[e6:54:37:ee:1a:c5(pmbrklnxd02)] using sleeve
INFO: 2016/04/19 22:57:37.729507 Expired MAC 22:78:00:53:1d:cd at e6:54:37:ee:1a:c5(pmbrklnxd02)
INFO: 2016/04/19 22:57:37.729555 Expired MAC 3a:c9:e8:af:5e:8c at e6:54:37:ee:1a:c5(pmbrklnxd02)
INFO: 2016/04/19 22:57:37.729592 Expired MAC de:ad:a7:e9:8e:a5 at 92:e8:bb:13:32:78(pmbrklnxd01)
INFO: 2016/04/19 22:57:37.729607 Expired MAC 46:72:a1:94:e6:9c at 92:e8:bb:13:32:78(pmbrklnxd01)
INFO: 2016/04/19 22:57:37.729620 Expired MAC 32:fb:60:85:30:2a at e6:54:37:ee:1a:c5(pmbrklnxd02)
INFO: 2016/04/19 22:57:37.729633 Expired MAC c2:b3:8d:05:02:77 at e6:54:37:ee:1a:c5(pmbrklnxd02)
INFO: 2016/04/19 22:57:37.729646 Expired MAC 82:37:db:af:f4:4b at e6:54:37:ee:1a:c5(pmbrklnxd02)
INFO: 2016/04/19 22:57:37.729660 Expired MAC 12:3d:51:1c:5d:ac at e6:54:37:ee:1a:c5(pmbrklnxd02)
INFO: 2016/04/19 22:57:37.729688 Expired MAC 7e:62:2f:21:0f:26 at e6:54:37:ee:1a:c5(pmbrklnxd02)
INFO: 2016/04/19 23:00:37.730147 Expired MAC 2a:1a:ed:dd:7a:55 at e6:54:37:ee:1a:c5(pmbrklnxd02)
INFO: 2016/04/19 23:00:37.730985 Expired MAC d6:fa:3d:05:84:79 at e6:54:37:ee:1a:c5(pmbrklnxd02)

what is happening?
thnks

Version: 1.4.6

   Service: router
  Protocol: weave 1..2
      Name: 92:e8:bb:13:32:78(pmbrklnxd01)
Encryption: disabled

PeerDiscovery: enabled
Targets: 0
Connections: 1 (1 established)
Peers: 2 (with 2 established connections)
TrustedSubnets: none

   Service: ipam
    Status: ready
     Range: 10.32.0.0-10.47.255.255

DefaultSubnet: 10.32.0.0/12

   Service: dns
    Domain: weave.local.
  Upstream: 130.1.40.10, 131.1.20.41
       TTL: 1
   Entries: 32

   Service: proxy
   Address: unix:///var/run/weave/weave.sock

[bboreham]

What is the firewall blocking?

At https://www.weave.works/documentation/net-1-5-0-using-weave/#peer-connections we note which ports must be opened on firewalls for Weave Net to function.

[bboreham]

Although the docs seem to be wrong (!) The correct info is:

you must permit traffic to flow through TCP 6783 and UDP 6783/6784, which are Weave’s control and data ports

[joserivca]

bboreham ,
this message its appearing,

WARNING: existing iptables rule

'-A FORWARD -j REJECT --reject-with icmp-host-prohibited'

will block name resolution via weaveDNS - please reconfigure your firewall.
'-A FORWARD -j REJECT --reject-with icmp-host-prohibited'

will block name resolution via weaveDNS - please reconfigure your firewall.

im using rhel 7.3, and the last version of weave,
im opened port in the firewall d

firewall-cmd --zone=public --add-port=53/tcp --permanent
firewall-cmd --zone=public --add-port=6783/tcp --permanent
firewall-cmd --zone=public --add-port=6784/tcp --permanent
firewall-cmd --zone=public --add-port=6783/udp --permanent
firewall-cmd --zone=public --add-port=6784/udp --permanent
firewall-cmd --zone=public --add-port=53/tcp --permanent

sudo iptables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 6783 -j ACCEPT
sudo iptables -A INPUT -p udp -m udp --dport 6783 -j ACCEPT
sudo iptables -A INPUT -p udp -m udp --dport 6784 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 6784 -j ACCEPT

In not using iptables.service cause not installed, just the firewalld,
what i can do?

regards

[bboreham]

We use "iptables" as a generic name for the kernel capability; firewalld is implemented using those rules.

It's difficult to figure out from that info what the setting should be; can you do sudo iptables-save and post the output?

[joserivca]

show this
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -p icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i ens32 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o ens32 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A INPUT_ZONES -i ens32 -g IN_public
-A INPUT_ZONES -g IN_public
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 6784 -m conntrack --ctstate NEW -j ACCE PT
-A IN_public_allow -p tcp -m tcp --dport 6783 -m conntrack --ctstate NEW -j ACCE PT
-A IN_public_allow -p udp -m udp --dport 6784 -m conntrack --ctstate NEW -j ACCE PT
-A IN_public_allow -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p udp -m udp --dport 6783 -m conntrack --ctstate NEW -j ACCE PT
COMMIT

Completed on Wed Apr 20 14:12:53 2016

[root@pmbrklnxd02 S56490]# ^C
[root@pmbrklnxd02 S56490]# whereis iptables-save
iptables-save: /usr/sbin/iptables-save /usr/share/man/man8/iptables-save.8.gz
[root@pmbrklnxd02 S56490]# clear
[root@pmbrklnxd02 S56490]# iptables-save

Generated by iptables-save v1.4.21 on Wed Apr 20 14:14:45 2016

*nat
:PREROUTING ACCEPT [32045:2343311]
:INPUT ACCEPT [3:140]
:OUTPUT ACCEPT [28:1954]
:POSTROUTING ACCEPT [28:1954]
:DOCKER - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -j OUTPUT_direct
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o ens32 -g POST_public
-A POSTROUTING_ZONES -g POST_public
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A PREROUTING_ZONES -i ens32 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT

Completed on Wed Apr 20 14:14:45 2016

Generated by iptables-save v1.4.21 on Wed Apr 20 14:14:45 2016

*mangle
:PREROUTING ACCEPT [47485:3706889]
:INPUT ACCEPT [45707:3536882]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [40662:4583968]
:POSTROUTING ACCEPT [40662:4583968]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i ens32 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT

Completed on Wed Apr 20 14:14:45 2016

Generated by iptables-save v1.4.21 on Wed Apr 20 14:14:45 2016

*security
:INPUT ACCEPT [15443:1363718]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [40668:4584570]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT

Completed on Wed Apr 20 14:14:45 2016

Generated by iptables-save v1.4.21 on Wed Apr 20 14:14:45 2016

*raw
:PREROUTING ACCEPT [47492:3707397]
:OUTPUT ACCEPT [40668:4584570]
:OUTPUT_direct - [0:0]
:PREROUTING_direct - [0:0]
-A PREROUTING -j PREROUTING_direct
-A OUTPUT -j OUTPUT_direct
COMMIT

Completed on Wed Apr 20 14:14:45 2016

Generated by iptables-save v1.4.21 on Wed Apr 20 14:14:45 2016

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [40662:4583968]
:DOCKER - [0:0]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -p icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i ens32 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o ens32 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A INPUT_ZONES -i ens32 -g IN_public
-A INPUT_ZONES -g IN_public
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 6784 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 6783 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p udp -m udp --dport 6784 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p udp -m udp --dport 6783 -m conntrack --ctstate NEW -j ACCEPT
COMMIT

Completed on Wed Apr 20 14:14:45 2016

[bboreham]

Thanks for the detailed dump.

I can see only one rule there mentioning port 53 - the DNS port - and it is:

-A IN_public_allow -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT

this is for TCP; you need to allow UDP too.

As for the

WARNING: existing iptables rule

I am still considering that.

[bboreham]

I see you posted a later dump at #1266 (comment) that has the UDP rule.

[bboreham]

New theory thanks to @rade is that you need to use docker0 as the device not docker.

[joserivca]

How i can configure that? For using docker0?

[bboreham]

From the other thread, you would have run:

sudo firewall-cmd --zone=internal --add-interface=docker --permanent

this should have been:

sudo firewall-cmd --zone=internal --add-interface=docker0 --permanent

(I cannot see any firewall-cmd option to remove an interface)

[joserivca]

OK, really thanks for the help , but my solution was put this on iptables
/sbin/iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited
/sbin/iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
iptables-save

[owlab-exp]

Try this,

firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 53 -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p udp --dport 53 -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -p tcp --dport 53 -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -p udp --dport 53 -j ACCEPT