The following commands are needed to allow traffic when firewalld is being used.

sudo firewall-cmd --add-service=dhcp
sudo firewall-cmd --add-service=dns
sudo firewall-cmd  --add-masquerade

sudo firewall-cmd -q --direct --add-rule ipv4 nat POSTROUTING 0 -o <ap_iface> -j MASQUERADE
sudo firewall-cmd -q --direct --add-rule ipv4 filter FORWARD 0 -i <internet_iface> -o <ap_iface> -j ACCEPT
sudo firewall-cmd -q --direct --add-rule ipv4 filter FORWARD 0 -i <ap_iface> -o <internet_iface> -m state --state RELATED,ESTABLISHED -j ACCEPT

what should <ap_iface> and <internet_iface> be substitute with?

@tubbadu check the ui dropdowns

Edit : This solution is NOT working, GOTO

Just add adapter name in variables(wifi_iface and internet_iface[In my case export wifi_iface=wlan0 export internet_iface=wlan0 ]) then execute commands

export wifi_iface=
export internet_iface=

sudo firewall-cmd --add-service=dhcp
sudo firewall-cmd --add-service=dns
sudo firewall-cmd  --add-masquerade

sudo firewall-cmd -q --direct --add-rule ipv4 nat POSTROUTING 0 -o $wifi_iface -j MASQUERADE
sudo firewall-cmd -q --direct --add-rule ipv4 filter FORWARD 0 -i $internet_iface -o $wifi_iface -j ACCEPT
sudo firewall-cmd -q --direct --add-rule ipv4 filter FORWARD 0 -i $wifi_iface -o $internet_iface -m state --state RELATED,ESTABLISHED -j ACCEPT

@Luciogi Thanks I'll add those and test them soon.

@lakinduakash this solution is not working

Working Solution:

I am using Fedora 35 for testing, firewalld has default zone FedoraWorkstation. My approach is enable masquerade in zone trusted and FedoraWorkstation, and add interface ap0 to trusted zone
executing following command block will allow internet access and ip allocation via hotspot

sudo firewall-cmd --zone=FedoraWorkstation --add-masquerade
sudo firewall-cmd --zone=trusted --add-masquerade
sudo firewall-cmd --zone=trusted --add-interface=ap0

Edit: Please test it and give feedback

• fwd firewall works without any problem

Thanks @Luciogi for testing it. Please test someone, currently I don't have a Fedora environment.

This will allow clients to connect and have internet access (tested on Ubuntu 22.04 with firewalld 1.1.1) without allowing them access to other services on the host:

firewall-cmd --permanent --new-zone=hotspot
firewall-cmd --permanent --zone=hotspot --add-service=dhcp
firewall-cmd --permanent --zone=hotspot --add-service=dns
firewall-cmd --permanent --zone=hotspot --add-interface=ap0

# Ensure the DNS ports are forwarded
firewall-cmd --permanent --zone=hotspot --add-rich-rule='rule family="ipv4" forward-port port="53" protocol="tcp" to-port="5353" destination address="192.168.12.1"'
firewall-cmd --permanent --zone=hotspot --add-rich-rule='rule family="ipv4" forward-port port="53" protocol="udp" to-port="5353" destination address="192.168.12.1"'

# Change public to whatever zone you've assigned the internet connection to
firewall-cmd --permanent --zone=public --add-masquerade

firewall-cmd --permanent --new-policy hotspot-forwarding
firewall-cmd --permanent --policy hotspot-forwarding --add-ingress-zone hotspot
# Change public to whatever zone you've assigned the internet connection to
firewall-cmd --permanent --policy hotspot-forwarding --add-egress-zone public
# If you want to restrict what ports clients can access on the internet, you can remove this
firewall-cmd --permanent --policy hotspot-forwarding --set-target ACCEPT
# And add specific services instead
#firewall-cmd --permanent --policy hotspot-forwarding --add-service http


firewall-cmd --reload

These rules will persist after a reboot, so you shouldn't need to touch them again unless you want to allow more zones to be used for internet.

Working Solution:

I am using Fedora 35 for testing, firewalld has default zone FedoraWorkstation. My approach is enable masquerade in zone trusted and FedoraWorkstation, and add interface ap0 to trusted zone executing following command block will allow internet access and ip allocation via hotspot

sudo firewall-cmd --zone=FedoraWorkstation --add-masquerade
sudo firewall-cmd --zone=trusted --add-masquerade
sudo firewall-cmd --zone=trusted --add-interface=ap0

Edit: Please test it and give feedback

• fwd firewall works without any problem

Sadly, this doesn't work somehow…

Are there some special settings which I missed? I got an IP address with my phone, but no internet connection.

IP of Phone: 192.168.12.13
Gateway of Phone: 192.168.12.1
Gateway of ap0: 192.168.12.1

I have a virtual interface as LAN device, but this shouldn't generate any problems, right?

Ethernet port enp1s0:
IP: 192.168.12.103
Gateway: 192.168.12.1

Normally this would be 192.168.3.3 with Gateway 192.168.3.1
I have internet in my VM, but not on the hotspot. When I missed something to mention just ask, I try to deliver.

Greets LxWulf

Edit: Yes, I use Fedora 37 with the newest updates.

@lxwulf Are you using Fedora 37 on VM?

@Luciogi Yes, exactly!

It does work with a LAN PCI pass through, but not with virtual devices, at least on my side.

@lxwulf I guess, VM can't directly access all wifi card capabilites , It uses bridge or NAT connection coming from Host OS
May be usb wifi adapter might work

@Luciogi Yes, worth trying, but at moment have no USB dongle, but I'll keep this in mind for later.

This will allow clients to connect and have internet access (tested on Ubuntu 22.04 with firewalld 1.1.1) without allowing them access to other services on the host:

firewall-cmd --permanent --new-zone=hotspot
firewall-cmd --permanent --zone=hotspot --add-service=dhcp
firewall-cmd --permanent --zone=hotspot --add-service=dns
firewall-cmd --permanent --zone=hotspot --add-interface=ap0

# Ensure the DNS ports are forwarded
firewall-cmd --permanent --zone=hotspot --add-rich-rule='rule family="ipv4" forward-port port="53" protocol="tcp" to-port="5353" destination address="192.168.12.1"'
firewall-cmd --permanent --zone=hotspot --add-rich-rule='rule family="ipv4" forward-port port="53" protocol="udp" to-port="5353" destination address="192.168.12.1"'

# Change public to whatever zone you've assigned the internet connection to
firewall-cmd --permanent --zone=public --add-masquerade

firewall-cmd --permanent --new-policy hotspot-forwarding
firewall-cmd --permanent --policy hotspot-forwarding --add-ingress-zone hotspot
# Change public to whatever zone you've assigned the internet connection to
firewall-cmd --permanent --policy hotspot-forwarding --add-egress-zone public
# If you want to restrict what ports clients can access on the internet, you can remove this
firewall-cmd --permanent --policy hotspot-forwarding --set-target ACCEPT
# And add specific services instead
#firewall-cmd --permanent --policy hotspot-forwarding --add-service http


firewall-cmd --reload

These rules will persist after a reboot, so you shouldn't need to touch them again unless you want to allow more zones to be used for internet.

I'm on Fedora37, and with these settings my android device is "connected without internet access"

@tubbadu Please test this #166 (comment)

We need proper support for firewalld. Something nice like @NHellFire script translating existing regular iptables rules. For fast and easy way already discussed here, that is masquerade+add ap0 to zones

On Debian 12 with firewalld enabled, the problem was fixed by only the first three lines. Namely:

sudo firewall-cmd --add-service=dhcp
sudo firewall-cmd --add-service=dns
sudo firewall-cmd  --add-masquerade

But yes, given that firewalld is enabled by default on deveral distros (Including Debian), this should probably be done automatically.

If nothing else, just check if sudo firewall-cmd --state returns running, and if it does, print something during installation along the lines of "You have firewalld running. This may require explicitly adding some rules for allowing network traffic. Please visit if you face issues.

EDIT: Even though I could not connect to the network, I could not use mDNS to resolve the hostname. I ended up disabling firewalld, and expect to be using something that is not as obstructive in the future.

Edit : This solution is NOT working, GOTO

Just add adapter name in variables(wifi_iface and internet_iface[In my case export wifi_iface=wlan0 export internet_iface=wlan0 ]) then execute commands

export wifi_iface=
export internet_iface=

sudo firewall-cmd --add-service=dhcp
sudo firewall-cmd --add-service=dns
sudo firewall-cmd  --add-masquerade

sudo firewall-cmd -q --direct --add-rule ipv4 nat POSTROUTING 0 -o $wifi_iface -j MASQUERADE
sudo firewall-cmd -q --direct --add-rule ipv4 filter FORWARD 0 -i $internet_iface -o $wifi_iface -j ACCEPT
sudo firewall-cmd -q --direct --add-rule ipv4 filter FORWARD 0 -i $wifi_iface -o $internet_iface -m state --state RELATED,ESTABLISHED -j ACCEPT

this works for me on fedora 39

Working Solution:

I am using Fedora 35 for testing, firewalld has default zone FedoraWorkstation. My approach is enable masquerade in zone trusted and FedoraWorkstation, and add interface ap0 to trusted zone executing following command block will allow internet access and ip allocation via hotspot

sudo firewall-cmd --zone=FedoraWorkstation --add-masquerade
sudo firewall-cmd --zone=trusted --add-masquerade
sudo firewall-cmd --zone=trusted --add-interface=ap0

Edit: Please test it and give feedback

* **fwd** firewall works without any problem

is there a way to make this permanent?
would adding --permanent work?

is there a way to make this permanent? would adding --permanent work?

No idea, I am not using firewalld and fedora anymore, I forgot whether these commands make permanent rules

I use Fedora Linux since version 30, and now I'm on version 39. I can confirm that the firewall-cmd command with option --permanent does work to have permanent settings. After this, you can reload the firewall to take the new settings in => firewall-cmd --reload.

All changes without the --permanent option are temporary and are lost when firewall gets reloaded firewall-cmd --reload or system rebooted.