This setup is unnecessarily complicated. The correct way to fix networking with firewalld is to add all the virtual interfaces (virtual networks) to the zone trusted, as explained in this doc page. I had tried this before but it didn’t work for me, maybe because I had installed Docker as well, and I failed to realize that Docker sets the FORWARD policy to DROP.
So, here are the steps that need to be done.
1. Add the bridge interface to the trusted zone
Any interface that is not explicitly added to a zone, is handled by the default zone, which is the zone public. This zone is meant for the interfaces that are facing the public internet, so it is restricted. For example DHCP requests are blocked, and the containers cannot get an IP.
To fix this, we can add the bridge interface to the trusted zone, where everything is allowed:
firewall-cmd --permanent --zone=trusted \
--add-interface=lxdbr0
firewall-cmd --reload
firewall-cmd --zone=trusted --list-all
2. Fix the FORWARD chain
If the ping is still not working, usually the problem is that forwarding is blocked. If you try iptables-save | head and see something like this: :FORWARD DROP [4:2508], it means that the policy for the FORWARD chain is DROP. Maybe it is set by Docker, if you have installed it.
You can make the default policy ACCEPT, like this: iptables -P FORWARD ACCEPT. However, the next time that the server will be rebooted, or firewalld restarted, you may loose this configuration.
A better way is to add a direct (explicit) rule with firewall-cmd, like this:
firewall-cmd --permanent --direct --add-rule \
ipv4 filter FORWARD 0 -j ACCEPT
firewall-cmd --reload
firewall-cmd --direct --get-all-rules
Caution:
The rule above will enable (ACCEPT) forwarding for all the interfaces, the current ones and the ones that will be created in the future. If this is not what you want, you can use more specific rules, like these:
firewall-cmd --permanent --direct --remove-rule \ ipv4 filter FORWARD 0 -j ACCEPT firewall-cmd --permanent --direct --add-rule \ ipv4 filter -i lxdbr0 FORWARD 0 -j ACCEPT firewall-cmd --permanent --direct --add-rule \ ipv4 filter -o lxdbr0 FORWARD 0 -j ACCEPT firewall-cmd --reload firewall-cmd --direct --get-all-rules
3. New bridge interfaces
Let’s say that you create a new bridge interface, for example like this:
lxc network create LAN1
You should also remember to add it to the trusted zone of firewalld:
firewall-cmd --permanent --zone=trusted \
--add-interface=LAN1
firewall-cmd --reload
firewall-cmd --zone=trusted --list-all