I have the following setup:
-CentOS box, with KVM installed (libvirt), as gateway/VM host. Interface eno2 as uplink.
-Public routed network configured on interface virbr1 (virbr1 mode routed, forward to all physical ports), and physical interface eno4 bridge-enslaved to virbr1, to use for local network, local server and VM guests.
-On interface eno4 I have a Catalyst switch, in which the local network and local server are connected.
xx.xx.xxx.128/27 - network
xx.xx.xxx.129 - assigned to virbr1, gateway for the whole network
xx.xx.xxx.130 - localserver
xx.xx.xxx.157 - guest VM
xx.xx.xxx.158 - Catalyst
My problem is that I need the local network to access the local server, but no one else should. I tried adding direct rules in firewalld, like this:
[root@master ~]# firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 0 -s xx.xx.xxx.128/27 -d xx.xx.xxx.130/32 -j ACCEPT
ipv4 filter INPUT 1 -d xx.xx.xxx.130/32 -j DROP
ipv4 filter FORWARD 0 -s xx.xx.xxx.128/27 -d xx.xx.xxx.130/32 -j ACCEPT
ipv4 filter FORWARD 1 -d xx.xx.xxx.130/32 -j DROP
A ping from my home workstation to xx.xx.xxx.130 still works with the above rules. I even tried adding the same rules via iptables, but still no joy.
The same rules worked just fine in the previous setup( iptables ), Debian box with two interfaces, one connected to the internet, one to the Catalyst.
What am I missing? Is this a wrong way to achieve my goal? I am fairly new to firewalld, I've used iptables up until now.
