RunCloud BGP Transit VM Firewall Fix

runcloud_firewall.sh

#!/bin/bash
# FirewallD setup for RunCloud BGP transit VMs
set -e

PUB_IF=$(ip route show default | awk '/default/ {print $5; exit}')
echo "==> Public interface: $PUB_IF"

# 1. Assign public interface to runcloud zone
firewall-cmd --permanent --zone=runcloud --add-interface=$PUB_IF

# 2. BGP + GRE on public interface
firewall-cmd --permanent --zone=runcloud --add-port=179/tcp
firewall-cmd --permanent --zone=runcloud --add-protocol=gre
firewall-cmd --permanent --zone=runcloud --add-forward

# 3. Forwarding policies (remove first to make idempotent)
firewall-cmd --permanent --delete-policy=fwd-in-pub 2>/dev/null || true
firewall-cmd --permanent --delete-policy=fwd-out-pub 2>/dev/null || true

firewall-cmd --permanent --new-policy=fwd-in-pub
firewall-cmd --permanent --policy=fwd-in-pub --add-ingress-zone=runcloud
firewall-cmd --permanent --policy=fwd-in-pub --add-egress-zone=ANY
firewall-cmd --permanent --policy=fwd-in-pub --set-target=ACCEPT

firewall-cmd --permanent --new-policy=fwd-out-pub
firewall-cmd --permanent --policy=fwd-out-pub --add-ingress-zone=ANY
firewall-cmd --permanent --policy=fwd-out-pub --add-egress-zone=runcloud
firewall-cmd --permanent --policy=fwd-out-pub --set-target=ACCEPT

# 4. Hide from traceroute
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 \
  -p icmp --icmp-type time-exceeded -j DROP

# 5. Reload
firewall-cmd --reload

echo ""
echo "==> Done. Active zones:"
firewall-cmd --get-active-zones
echo ""
echo "==> After creating each GRE tunnel, run:"
echo "    firewall-cmd --permanent --zone=trusted --add-interface=<name>-gre"
echo "    firewall-cmd --reload"