How do I enable/set multicast rules using firewalld in RHEL7 / CentOS 7
14,419
Solution 1
At first I tried this command:
firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 1 -d 224.0.0.18 -j ACCEPT
but it seems that CentOS7 cannot reload direct rules after reboot.
[root@test01-galera02 firewalld]# firewall-cmd --direct --get-all-rules
[root@test01-galera02 firewalld]# firewall-cmd --direct --get-all-rules --permanent
ipv4 filter IN_public_allow 1 -d 224.0.0.18 -j ACCEPT
[root@test01-galera02 firewalld]#
[root@test01-galera02 firewalld]# cat direct.xml
<?xml version="1.0" encoding="utf-8"?>
<direct>
<rule priority="1" table="filter" ipv="ipv4" chain="IN_public_allow">-d 224.0.0.18 -j ACCEPT</rule>
</direct>
[root@test01-galera02 firewalld]# pwd
/etc/firewalld
[root@test01-galera02 firewalld]#
Second, I successfully used this command. firewalld runs fine now on my galera cluster with keepalived on it.
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" destination address="224.0.0.18" protocol value="ip" accept' --permanent
firewall-cmd --reload
Solution 2
IPv6
firewall-cmd --permanent --direct --add-rule ipv6 filter PREROUTING 0 -t raw -m rpfilter --invert -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -d ff00::/8 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 -d ff00::/8 -j ACCEPT
IPv4
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -m udp -p udp -m pkttype --pkt-type multicast -j ACCEPT
Related videos on Youtube
Author by
Neon
Software Architect and Full Stack Developer. Java, C++, C, JavaScript, shell scripts, Python, SQL, etc. OS: Linux, CentOS/RedHat, Ubuntu, Windows, Solaris Database: Postgres, MariaDB/MySQL, Oracle, Sybase
Updated on September 18, 2022Comments
-
Neon over 1 year
I cannot find docs on how to enable multicast for firewalld which is the default firewall in RHEL / CentOS 7. Can some enlighten me? FYI: I know how to do it using iptables.
-
U. Windl over 2 years
-
-
Hi-Angel over 4 years+1, but I had to change
protocol value
fromip
to2
. Otherwise I was gettingERROR: INVALID_PROTOCOL: ip
, because/etc/protocol
has no such name. I used the2
because the REJECT logs statedPROTO=2
. -
Hi-Angel over 4 yearsAh, btw: I did not use anything but the last command
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" destination address="224.0.0.18" protocol value="ip" accept' --permanent
. I did not even do the--reload
. I guess modern versions of firewalld handle that themselves.0.7.1
version is here (note also, nowadays it's not using iptables by default).