Port forwarding not working on localhost

Issues related to configuring your network
davidbiesack
Posts: 13
Joined: 2017/04/19 13:58:39
Contact:

Port forwarding not working on localhost

Postby davidbiesack » 2017/04/21 18:01:06

I have been able to configure firewalld to allow access to em1 from the public zone to a Tomcat 8 server running on port 8180, with port 80 mapped to 8180 (I'm not running httpd, just Tomcat): http://myhost.mydomain/ (and http://myhost.mydomain:8180/) works fine from other clients on the network. (I'm using 8180 since I want to keep 8080 open for development/test purposes.)

However, when I try to access http://myhost.mydomain/ or http://localhost/ from my CentOS 7 I get an error,
This site can’t be reached localhost refused to connect.
However, http://localhost:8180/ works. Thus the port forwarding does not appear to be working on localhost (but works externally). A stackoverflow question suggests adding an interface named 'lo' but it is not clear what that does.
The accepted answer "The server is not listening on loopback interface." does not tell me how to configure the loopback interface.

The Firewalld documentation does not mention localhost or loopback, and 'lo' is only mentioned without description.

My only active zone is public

Code: Select all

$ sudo firewall-cmd --get-active-zones
public
  interfaces: em1
$ sudo firewall-cmd --info-zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: em1
  sources:
  services: dhcpv6-client ssh
  ports: 8180/tcp 5900/tcp
  protocols:
  masquerade: no
  forward-ports: port=80:proto=tcp:toport=8180:toaddr=
  sourceports:
  icmp-blocks:
  rich rules:


Should I expect localhost to use a different zone? IIf so, how to I add the interface (is it really named lo?)

I tried:

Code: Select all

$ sudo firewall-cmd --zone=trusted --add-interface=lo
$ sudo firewall-cmd --zone=trusted --add-port=80/tcp
$ sudo firewall-cmd --zone=trusted --add-port=8180/tcp
$ sudo firewall-cmd --zone=trusted --add-forward-port=port=80:proto=tcp:toport=8180
success
$ sudo firewall-cmd --reload
success
$ sudo firewall-cmd --get-active-zones
public
  interfaces: em1
trusted
  interfaces: lo
$ sudo firewall-cmd --info-zone=trusted
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: lo
  sources:
  services:
  ports: 80/tcp 8180/tcp
  protocols:
  masquerade: no
  forward-ports: port=80:proto=tcp:toport=8180:toaddr=
  sourceports:
  icmp-blocks:
  rich rules:


but still http://localhost/ does not work (but http;//localhost:8180 does)
David Biesack
CentOS 7.2

Macenger
Posts: 23
Joined: 2016/10/18 08:29:57

Re: Port forwarding not working on localhost

Postby Macenger » 2017/04/25 11:26:07

Please share the output of:

# lsof -i:80
# lsof -i:8180

davidbiesack
Posts: 13
Joined: 2017/04/19 13:58:39
Contact:

Re: Port forwarding not working on localhost

Postby davidbiesack » 2017/04/25 13:14:30

I don't know why firewall-client was not allowing this to work, but I solved it with:

Code: Select all

   sudo /sbin/iptables -t nat -D OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 8080
   sudo /sbin/iptables -t nat -D PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
   sudo /sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8180
   sudo /sbin/iptables -t nat -I OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 8180
   sudo firewall-cmd --runtime-to-permanent


which is what I had done on my Ubuntu system before switching to CentOS 7.

I've not rebooted yet to ensure the iptables configuration sticks but it does work after doing

Code: Select all

firewall-cmd --reload
Last edited by davidbiesack on 2017/04/25 15:21:17, edited 1 time in total.
David Biesack
CentOS 7.2

davidbiesack
Posts: 13
Joined: 2017/04/19 13:58:39
Contact:

Re: Port forwarding not working on localhost

Postby davidbiesack » 2017/04/25 13:33:28

Correction, my iptables settings do not persist after doing

Code: Select all

sudo firewall-cmd --runtime-to-permanent
sudo firewall-cmd --reload

but I can at least add the iptables commands to a boot script
David Biesack
CentOS 7.2

User avatar
TrevorH
Forum Moderator
Posts: 20626
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Port forwarding not working on localhost

Postby TrevorH » 2017/04/25 16:10:51

You cannot mix and match iptables with firewalld. Firewalld runs as a daemon and "knows" how the rules "should be" and will put them back the way it thinks they ought to be at any time it feels like it. If you add a rule with the iptables command then sooner or later firewalld will notice the rule exists and if it doesn't think it should be there it will remove it.

Work out how to add your rules to firewalld using firewall-cmd or dump firewalld and use iptables-services instead. Do not attempt to use both at the same time or unpredictables results will occur.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

davidbiesack
Posts: 13
Joined: 2017/04/19 13:58:39
Contact:

Re: Port forwarding not working on localhost

Postby davidbiesack » 2017/04/25 16:44:18

ok, sure... but that leaves me without a solution.

Why does

Code: Select all

sudo firewall-cmd --zone=trusted --add-forward-port=port=80:proto=tcp:toport=8180

not work for lo when the same --add-forward-port works for public?
Is something else missing? The man page for firewall-cmd or wiki does not mention 'sourceports' which are empty.

Code: Select all

$ sudo firewall-cmd --permanent --info-zone=trusted
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: lo
  sources:
  services:
  ports: 80/tcp 8180/tcp
  protocols:
  masquerade: no
  forward-ports: port=80:proto=tcp:toport=8180:toaddr=
  sourceports:
  icmp-blocks:
  rich rules:


Is that important?

I was hoping the out-of-the-box system would work. Without a solution, I'll disable firewalld and revert to iptables.
David Biesack
CentOS 7.2

User avatar
TrevorH
Forum Moderator
Posts: 20626
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Port forwarding not working on localhost

Postby TrevorH » 2017/04/25 16:52:32

I am not a fan of firewalld.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

hunter86_bg
Posts: 737
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Port forwarding not working on localhost

Postby hunter86_bg » 2017/04/26 17:42:02

I think you can't port forward for localhost. Either switch to iptables or as last resort - direct rules (but remember they are processed before anything else).

davidbiesack
Posts: 13
Joined: 2017/04/19 13:58:39
Contact:

Re: Port forwarding not working on localhost

Postby davidbiesack » 2017/04/26 18:08:47

yes, I switched:

Code: Select all


   sudo yum install iptables-services
   sudo systemctl mask firewalld.service
   sudo systemctl enable iptables.service
   
   # Optional:
   # systemctl enable ip6tables.service
   # Optional: youmay have 80 -> 8080 redirects. if so, -D (delete) them first:
   sudo /sbin/iptables -t nat -D OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 8080
   sudo /sbin/iptables -t nat -D PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
   
   sudo /sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8180
   sudo /sbin/iptables -t nat -I OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 8180
   sudo service iptables save



and now my service is working great.

I reported this as a bug.
David Biesack
CentOS 7.2

User avatar
TrevorH
Forum Moderator
Posts: 20626
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Port forwarding not working on localhost

Postby TrevorH » 2017/04/26 18:19:28

I saw the bug but you need to report that upstream on bugzilla.redhat.com to stand a chance of getting it fixed. As far as CentOS is concerned, bugs are things that don't work the same as in RHEL and if it does, it's not a bug, it's an upstream feature ;-)
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke