i've got an Problem which keeps me busy since two days. To workarround this Problem i could disable Firewalld and use pure IPTables, but i want to use this new technology.
My setup consists of the Host and an VM (IP: 192.168.122.96) which is controlled by libvirt.
- Inside the VM "nc -l 8080" is running.
Running "nc 192.168.122.96 8080" on the Host does work very well.
I want to Forward the Host Port 8080 to 192.168.122.96 8080, so i addedConnecting from an external Host does not work, "nc 127.0.0.1 8080" on Host does not work but "nc 192.168.122.96 8080" still worksCode: Select all
firewall-cmd --add-masquerade firewall-cmd --query-forward-port=port=8080:proto=tcp:toport=8080:toaddr=192.168.122.96
- http://forums.fedoraforum.org/showthread.php?t=294446
http://www.certdepot.net/rhel7-get-started-firewalld/
https://access.redhat.com/documentation ... walls.html
Code: Select all
firewall-cmd --permanent --zone=trusted --add-source=192.168.122.0/24
Code: Select all
firewall-cmd --get-active-zones
public
interfaces: enp3s0 virbr0
trusted
interfaces: vnet0
sources: 192.168.122.0/24
I also temporary added tryed
Code: Select all
firewall-cmd --add-port=8000-9000/tcp
Code: Select all
firewall-cmd --zone=public --list-all
public (default, active)
interfaces: enp3s0 virbr0
sources:
services: dhcpv6-client ssh
ports:
masquerade: yes
forward-ports: port=8000-8005:proto=tcp:toport=:toaddr=192.168.122.96
port=1109-1113:proto=tcp:toport=:toaddr=192.168.122.96
port=8000-8005:proto=udp:toport=:toaddr=192.168.122.96
port=8085:proto=tcp:toport=8090:toaddr=
port=1109-1113:proto=udp:toport=:toaddr=192.168.122.96
icmp-blocks:
rich rules:
Code: Select all
iptables --list-rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N FORWARD_IN_ZONES
-N FORWARD_IN_ZONES_SOURCE
-N FORWARD_OUT_ZONES
-N FORWARD_OUT_ZONES_SOURCE
-N FORWARD_direct
-N FWDI_public
-N FWDI_public_allow
-N FWDI_public_deny
-N FWDI_public_log
-N FWDI_trusted
-N FWDI_trusted_allow
-N FWDI_trusted_deny
-N FWDI_trusted_log
-N FWDO_public
-N FWDO_public_allow
-N FWDO_public_deny
-N FWDO_public_log
-N FWDO_trusted
-N FWDO_trusted_allow
-N FWDO_trusted_deny
-N FWDO_trusted_log
-N INPUT_ZONES
-N INPUT_ZONES_SOURCE
-N INPUT_direct
-N IN_public
-N IN_public_allow
-N IN_public_deny
-N IN_public_log
-N IN_trusted
-N IN_trusted_allow
-N IN_trusted_deny
-N IN_trusted_log
-N OUTPUT_direct
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -p icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i vnet0 -j FWDI_trusted
-A FORWARD_IN_ZONES -i virbr0 -g FWDI_public
-A FORWARD_IN_ZONES -i enp3s0 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_IN_ZONES_SOURCE -s 192.168.122.0/24 -j ACCEPT
-A FORWARD_OUT_ZONES -o vnet0 -j FWDO_trusted
-A FORWARD_OUT_ZONES -o virbr0 -g FWDO_public
-A FORWARD_OUT_ZONES -o enp3s0 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FORWARD_OUT_ZONES_SOURCE -d 192.168.122.0/24 -j ACCEPT
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public_allow -m conntrack --ctstate NEW -m mark --mark 0x64 -j ACCEPT
-A FWDI_public_allow -m conntrack --ctstate NEW -m mark --mark 0x65 -j ACCEPT
-A FWDI_public_allow -m conntrack --ctstate NEW -m mark --mark 0x66 -j ACCEPT
-A FWDI_public_allow -m conntrack --ctstate NEW -m mark --mark 0x67 -j ACCEPT
-A FWDI_trusted -j FWDI_trusted_log
-A FWDI_trusted -j FWDI_trusted_deny
-A FWDI_trusted -j FWDI_trusted_allow
-A FWDI_trusted -j ACCEPT
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A FWDO_public_allow -j ACCEPT
-A FWDO_trusted -j FWDO_trusted_log
-A FWDO_trusted -j FWDO_trusted_deny
-A FWDO_trusted -j FWDO_trusted_allow
-A FWDO_trusted -j ACCEPT
-A INPUT_ZONES -i vnet0 -j IN_trusted
-A INPUT_ZONES -i virbr0 -g IN_public
-A INPUT_ZONES -i enp3s0 -g IN_public
-A INPUT_ZONES -g IN_public
-A INPUT_ZONES_SOURCE -s 192.168.122.0/24 -j ACCEPT
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -m conntrack --ctstate NEW -m mark --mark 0x68 -j ACCEPT
-A IN_trusted -j IN_trusted_log
-A IN_trusted -j IN_trusted_deny
-A IN_trusted -j IN_trusted_allow
-A IN_trusted -j ACCEPT
The interresting Fact is, when i run "firewall-cmd --reload" and instandly initiate the connection, it works until i terminate the connection and try again.
While trying again or waiting to long, i cannot connect.
Edit:
I also tryed to disable the forward rules added from libvirtd - which helpted to get it working with my pure iptables rules
Code: Select all
iptables -D FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
iptables -D FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable