8000 Investigate gateway issues on Amazon Linux 2023 · Issue #8481 · firezone/firezone · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Investigate gateway issues on Amazon Linux 2023 #8481

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jamilbk opened this issue Mar 18, 2025 · 3 comments · Fixed by #8483
Closed

Investigate gateway issues on Amazon Linux 2023 #8481

jamilbk opened this issue Mar 18, 2025 · 3 comments · Fixed by #8483
Assignees
@jamilbk
Labels
area/gateway Issues involving the Firezone Gateway needs triage Issues opened by the public or need further labeling

Comments

@jamilbk
Copy link
Member
jamilbk commented Mar 18, 2025

Ill try to test asap. Do you guys test Amazon Linux 2023? I would move to that one if firezone worked on it, but it never has. I honestly don't know why though, because it does not produce the same kind of errors. Like the service starts and seems to work, but things don't actually work (i.e. I cannot connect to resources from clients). I just never revisited it...

Im only mentioning because Amazon Linux 2023 has systemd v252 so all that stuff you guys did seems to work fine on it, its something else that is going wrong. That and it is the currently most widely used linux distro on AWS, so its what most folks use by default.

I tried once today but it seemed to have the same behavior as it did back when I tried the first time, it starts up fine and says its running but nothing can connect to anything...

Originally posted by @heathprovost in #8471
@jamilbk jamilbk mentioned this issue Mar 18, 2025
Closed
@jamilbk jamilbk added area/gateway Issues involving the Firezone Gateway needs triage Issues opened by the public or need further labeling labels Mar 18, 2025
@jamilbk jamilbk self-assigned this Mar 18, 2025
@heathprovost
Copy link

I'll be happy to test this if you need an outside tester.

@jamilbk
Copy link
Member Author
jamilbk commented Mar 19, 2025

So I was able to reproduce with a default install of Amazon Linux 2023. Since iptables isn't installed by default, you need to do:

sudo dnf install iptables-services -y
sudo systemctl enable iptables
sudo systemctl start iptables

Which I assume you've done.

However, Amazon Linux 2023 ships with a default ruleset that prevents packet forwarding, so I'll open another PR that inserts our forwarding rule with higher priority, which solves the issue.

@jamilbk jamilbk mentioned this issue Mar 19, 2025
Merged
@heathprovost
Copy link

That makes sense. Thank you!

github-merge-queue bot pushed a commit that referenced this issue Mar 19, 2025
@jamilbk
fix(gateway): Apply more specific firewall rules on start (#8483)
91db00f 
On some Linux distributions (Amazon Linux 2023), the default `iptables`
install includes a blanket deny rule in the `FORWARD` chain that
prevents packets from the tunnel interface from ever leaving the host.
To fix this, we ensure our `FORWARD` chain rules are inserted with
priority 1 which takes precedence over the blanket-deny rule.

We also update our MASQUERADE in the NAT table to apply only to the CIDR
range possible for Gateway tunnel IPs, as opposed to the default
`0.0.0.0/0`.

Fixes #8481
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jamilbk jamilbk

Labels
area/gateway Issues involving the Firezone Gateway needs triage Issues opened by the public or need further labeling
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(gateway): Apply more specific firewall rules on start firezone/firezone
2 participants
@jamilbk @heathprovost
0