Firewalld Port Forwarding does not work

[L3G0]

Dear Forum Members,
i've got an Problem which keeps me busy since two days. To workarround this Problem i could disable Firewalld and use pure IPTables, but i want to use this new technology.

My setup consists of the Host and an VM (IP: 192.168.122.96) which is controlled by libvirt.

• Inside the VM "nc -l 8080" is running.
  Running "nc 192.168.122.96 8080" on the Host does work very well.
  
  I want to Forward the Host Port 8080 to 192.168.122.96 8080, so i added

  Code: Select all

  firewall-cmd --add-masquerade
  firewall-cmd --query-forward-port=port=8080:proto=tcp:toport=8080:toaddr=192.168.122.96

  Connecting from an external Host does not work, "nc 127.0.0.1 8080" on Host does not work but "nc 192.168.122.96 8080" still works

I've reading a lot Links like:

• http://forums.fedoraforum.org/showthread.php?t=294446
  http://www.certdepot.net/rhel7-get-started-firewalld/
  https://access.redhat.com/documentation ... walls.html

While reading i found i had to add the source Adress to the trusted zone:

Code: Select all

firewall-cmd --permanent --zone=trusted --add-source=192.168.122.0/24

Code: Select all

firewall-cmd --get-active-zones
public
  interfaces: enp3s0 virbr0
trusted
  interfaces: vnet0
  sources: 192.168.122.0/24

I also temporary added tryed

Code: Select all

firewall-cmd --add-port=8000-9000/tcp

My current rules in firewalld:

Code: Select all

 firewall-cmd --zone=public --list-all
public (default, active)
  interfaces: enp3s0 virbr0
  sources: 
  services: dhcpv6-client ssh
  ports: 
  masquerade: yes
  forward-ports: port=8000-8005:proto=tcp:toport=:toaddr=192.168.122.96
        port=1109-1113:proto=tcp:toport=:toaddr=192.168.122.96
        port=8000-8005:proto=udp:toport=:toaddr=192.168.122.96
        port=8085:proto=tcp:toport=8090:toaddr=
        port=1109-1113:proto=udp:toport=:toaddr=192.168.122.96
  icmp-blocks: 
  rich rules:

But the resulting IPTables are missing the Forward:

Code: Select all

iptables --list-rules                            
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N FORWARD_IN_ZONES
-N FORWARD_IN_ZONES_SOURCE
-N FORWARD_OUT_ZONES
-N FORWARD_OUT_ZONES_SOURCE
-N FORWARD_direct
-N FWDI_public
-N FWDI_public_allow
-N FWDI_public_deny
-N FWDI_public_log
-N FWDI_trusted
-N FWDI_trusted_allow
-N FWDI_trusted_deny
-N FWDI_trusted_log
-N FWDO_public
-N FWDO_public_allow
-N FWDO_public_deny
-N FWDO_public_log
-N FWDO_trusted
-N FWDO_trusted_allow
-N FWDO_trusted_deny
-N FWDO_trusted_log
-N INPUT_ZONES
-N INPUT_ZONES_SOURCE
-N INPUT_direct
-N IN_public
-N IN_public_allow
-N IN_public_deny
-N IN_public_log
-N IN_trusted
-N IN_trusted_allow
-N IN_trusted_deny
-N IN_trusted_log
-N OUTPUT_direct
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -p icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i vnet0 -j FWDI_trusted
-A FORWARD_IN_ZONES -i virbr0 -g FWDI_public
-A FORWARD_IN_ZONES -i enp3s0 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_IN_ZONES_SOURCE -s 192.168.122.0/24 -j ACCEPT
-A FORWARD_OUT_ZONES -o vnet0 -j FWDO_trusted
-A FORWARD_OUT_ZONES -o virbr0 -g FWDO_public
-A FORWARD_OUT_ZONES -o enp3s0 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FORWARD_OUT_ZONES_SOURCE -d 192.168.122.0/24 -j ACCEPT
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public_allow -m conntrack --ctstate NEW -m mark --mark 0x64 -j ACCEPT
-A FWDI_public_allow -m conntrack --ctstate NEW -m mark --mark 0x65 -j ACCEPT
-A FWDI_public_allow -m conntrack --ctstate NEW -m mark --mark 0x66 -j ACCEPT
-A FWDI_public_allow -m conntrack --ctstate NEW -m mark --mark 0x67 -j ACCEPT
-A FWDI_trusted -j FWDI_trusted_log
-A FWDI_trusted -j FWDI_trusted_deny
-A FWDI_trusted -j FWDI_trusted_allow
-A FWDI_trusted -j ACCEPT
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A FWDO_public_allow -j ACCEPT
-A FWDO_trusted -j FWDO_trusted_log
-A FWDO_trusted -j FWDO_trusted_deny
-A FWDO_trusted -j FWDO_trusted_allow
-A FWDO_trusted -j ACCEPT
-A INPUT_ZONES -i vnet0 -j IN_trusted
-A INPUT_ZONES -i virbr0 -g IN_public
-A INPUT_ZONES -i enp3s0 -g IN_public
-A INPUT_ZONES -g IN_public
-A INPUT_ZONES_SOURCE -s 192.168.122.0/24 -j ACCEPT
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -m conntrack --ctstate NEW -m mark --mark 0x68 -j ACCEPT
-A IN_trusted -j IN_trusted_log
-A IN_trusted -j IN_trusted_deny
-A IN_trusted -j IN_trusted_allow
-A IN_trusted -j ACCEPT

The interresting Fact is, when i run "firewall-cmd --reload" and instandly initiate the connection, it works until i terminate the connection and try again.
While trying again or waiting to long, i cannot connect.

Edit:
I also tryed to disable the forward rules added from libvirtd - which helpted to get it working with my pure iptables rules

Code: Select all

iptables -D  FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
iptables -D FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable

Edit2: Using a hook (http://blog.mindfab.net/2013/07/portfor ... m-mit.html) script works but this causes problems if i reload the firewall.

[krs4keshara]

as of my understanding, 'virbr0' is doing NAT from VM ---> to ---->HOST. So you dont expect to connect to your VM from out-side. What i recommend it to use "Bridge interface (br0) instead 'virbr0'.