I’m trying to set up a somewhat weird network configuration, three interfaces on a pi, an adhoc AP, a wireless lan, and a USB modem.
I want clients of the USB device to talk to clients of the AP, I want clients of the AP to talk to other clients and a single host on the wireless network.
Sorta simple right? Just a couple firewall rules? Well NetworkManager is a land of logical defaults that do not like to be adjusted. I had it working where the AP clients could not reach out to the internet, but could reach the USB clients. NetworkManager automagic’d a NFTables ruleset that doesn’t appreciate being changed.
Okay so I’ll tell NM to not use a firewall backed in the conf, firewall-backend=none, easy.
But once NM is restarted, the networking is behaving like the firewall is still active, despite NFtables and iptables reporting no rulesets, as NM has taken its ball and gone home.
I can’t even figure out a baseline of “what the fuck is going on” because the level of opaque NM automagic happening behind the scenes. I just poke at it and hope something happens. Half the NetworkManager behavior is hidden in dev blog posts that you need to sift through, the official documentation just basically gives the bare minimum info for a feature.
https://linuxconfig.org/how-to-turn-on-off-ip-forwarding-in-linux
So I want and have ip forwarding, and I only want to make a firewall whitelist between two of the interfaces.
I’ve uninstalled iptables, nftables isn’t running, NM has the firewall backend disabled, and ip forwarding is on.
This should result in traffic moving between the interfaces, yet traffic is moving between two of the interfaces, and blocked between two of the interfaces. It just doesn’t make sense.
Sorry I only have this generic troubleshooting point to offer, but have you checked to see if NetworkManager might be modifying your IP routing table in unwanted ways during its operation?
From what you’ve described I’m under the impression that no Internet traffic needs to run through this system; perhaps NM is adding an unwanted default route?