Port forwarding to internal ip address

[christophK]

Hi,

I have installed centos on a managed server. For some reasons i decided to install IKEv2 for vnp to connect the vpn-clients to a samba-server also installed on the system.

When I’m connected to the server through vpn, I can access all running services who’s ports are enabled in the firewall public zone, all packages now going through the vpn tunnel.

But for samba i need a (virtual) network behind the public zone, because I don’t want to set the samba ports in the public area. So I installed a virtual ethernet card eth0.5 with the ip address 192.168.7.1, assigned the network card to the internal zone and configured the internal zone in the firewalld to accept smb connections.

Now i configured the firewall to forward my ipsec ports to the “internal” ip address.
firewall-cmd --zone=public --add-forward-port=port=500:proto=udp:toaddr=192.168.7.1
firewall-cmd --zone=public --add-forward-port=port=4500:proto=udp:toaddr=192.168.7.1

But ip forwarding with an ip on the same machine does not work.

I also tried:
firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toaddr=192.168.7.1
but cant access the webserver.

In an different area, I tried
firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toaddr=192.168.3.31
but 192.168.3.31 is now an external device(webserver). Portforwarding works and I can access the webserver.

Code: Select all

[root@server ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0.5
IPV6INIT=no
NETBOOT=yes
PHYSDEV=eth0
BROADCAST=192.168.7.255
VLAN=yes
NAME=""
BOOTPROTO=none
MACADDR=""
TYPE=Ethernet
DEVICE=eth0.5
NETMASK=255.255.255.0
MTU=""
IPADDR=192.168.7.1
NETWORK=192.168.7.0
ONBOOT=yes
ZONE=internal

Code: Select all

[root@server ~]# firewall-cmd --info-zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: https imaps smtp smtps
  ports: 22000/tcp 587/tcp
  protocols: 
  masquerade: yes
  forward-ports: port=80:proto=tcp:toport=:toaddr=192.168.7.1
	port=500:proto=udp:toport=:toaddr=192.168.7.1
	port=4500:proto=udp:toport=:toaddr=192.168.7.1
  sourceports: 
  icmp-blocks: 
  rich rules: 

Code: Select all

[root@server ~]# firewall-cmd --info-zone=internal
internal (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0.5
  sources: 
  services: http ipsec
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 

I hope someone can help me.
regards christoph

[hunter86_bg]

Have you tried with adding the port for the destination?
Adding Environment=SYSTEMD_LOG_LEVEL=debug in the service stanza of the firewalld service file will enable debugging.Just copy the service file to /etc/feirewalld/services , first.

[christophK]

Thanks for you answer.
Now I added also the destination port, but i still can’t reach the webserver or can’t establish a vpn connections.

Code: Select all

firewall-cmd --info-zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: https imaps smtp smtps
  ports: 11111/tcp 22000/tcp 587/tcp
  protocols: 
  masquerade: yes
  forward-ports: port=80:proto=tcp:toport=80:toaddr=192.168.7.1
	port=4500:proto=udp:toport=4500:toaddr=192.168.7.1
	port=500:proto=udp:toport=500:toaddr=192.168.7.1
  sourceports: 
  icmp-blocks: 
  rich rules: 

I enabled debugging in /etc/sysconfig/firewalld
but the firewalld log shows no information when trying to connect to the server.

[kbocek]

Wow, I was just going to post this same problem. I also can't seem to get port forwarding to work with firewalld. The web server is accessible from the internal network but not from the external interface:

Code: Select all

$firewall-cmd --zone=shpublic --list-all
shpublic (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp3s0
  sources:
  services: dhcpv6-client http https openvpn smtp ssh
  ports: 80/tcp 443/tcp
  protocols:
  masquerade: yes
  forward-ports: 
        port=443:proto=tcp:toport=:toaddr=10.0.2.9
        port=80:proto=tcp:toport=:toaddr=10.0.2.9
  sourceports:
  icmp-blocks:
  rich rules:

I see many people complaining about this issue but no clear answers. Some suggested this iptables rule:

Code: Select all

REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohib
ited

at the end of the INPUT table might be the issue.

[christophK]

for your problem i need a little more information about your invironmen.
are webserver and external device on the same server?

you have opened service http and https, port 80 and 443 for enp3s0 (shpublic zone) and also forwarded 443 and 80 to 10.0.2.9.

if enp3s0 is the external interface you should remove port forwarding for 443 and 80 in the shpublic zone.
also decide to configure the services http, https or ports 80, 443 but not both.

[desertcat]

Not sure this will work or not, but... I run a small home network of three computers that are cabled together. The first computer in line is the firewall and behind it sit the other computers. While I can get to the firewall I can't get to the ones behind it, thus have to port forward to the internal ip addresses. Here is how I get there:

Start a konsole and as root type two commands:

/sbin/iptables -A FORWARD -o eth1 -j ACCEPT

/sbin/iptables -t nat -A POSTROUTING -o eth0 MASQUERADE

Not sure if this will work or not in your case, you might -- probably will -- have to tweak the scripts.

Once I take the network down for maintenance (or in the event of power loss or whatever), the first computer I bring back online is the "Firewall" computer which can act as a stand alone computer, I then, as root, run the above two commands. After I have run those two commands I can then bring up the two workstations behind the "Firewall". Hope this helps.

[christophK]

Thank you but unfortunately it did not work.

I gave it a try, and the "-A IN_internal_allow -o eth0.5 -j ACCEPT" role appeard in my iptables list. But dont had any effect.

MASQUERADE is already enabled in firewalld config for the public zone (eth0 outgoing device) but i don't think it has something to do with that, because it let the server act as router for outgoing connections. For examle for internal clients connecting to the internet. In my case this works. When i connect a client with vpn, all requests to the internet where path through the tunnel and the public zone.

As i mentioned, it has to do something with forwarding to an ip address on the same machine, because in an different invironment, forwarding from external(public-zone) to an ip address on an internal different machine in the internal network works.

[kbocek]

if enp3s0 is the external interface you should remove port forwarding for 443 and 80 in the shpublic zone.
also decide to configure the services http, https or ports 80, 443 but not both.

Remove the forwarding? That's exactly what you and I are unsuccessfully trying to do: forward ports. Now I both *opened* the ports and enabled the services trying to get this to work. So I can see removing the port openings. But not the forwards.

[kbocek]

Darn! Thought I had it. But no.

/etc/sysconfig/iptables contains:

Code: Select all

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

I tried adding port 80 and 443 lines as well as commenting out the FORWARD/REJECT line. Still no love. Forwarding is still not working.

[christophK]

where is 10.0.2.9? is it an ip of an interface on the same machine or inside your internal network.

if 10.0.2.9 is the ip of a webserver inside your internal network, then yes, you have to forward the ports, but there is no need to enable the port and services in the zone. just forwarding should be enough.

sorry, but i have no information about your environement.

if the webserver is running on the same device as the enp3s0 card is installed, than opening the ports or services should be enough.

thats the reason i asked for more information about your environment.