Port forwarding not working on localhost

Issues related to configuring your network
davidbiesack
Posts: 13
Joined: 2017/04/19 13:58:39
Contact:

Port forwarding not working on localhost

Post by davidbiesack » 2017/04/21 18:01:06

I have been able to configure firewalld to allow access to em1 from the public zone to a Tomcat 8 server running on port 8180, with port 80 mapped to 8180 (I'm not running httpd, just Tomcat): http://myhost.mydomain/ (and http://myhost.mydomain:8180/) works fine from other clients on the network. (I'm using 8180 since I want to keep 8080 open for development/test purposes.)

However, when I try to access http://myhost.mydomain/ or http://localhost/ from my CentOS 7 I get an error,
This site can’t be reached localhost refused to connect.
However, http://localhost:8180/ works. Thus the port forwarding does not appear to be working on localhost (but works externally). A stackoverflow question suggests adding an interface named 'lo' but it is not clear what that does.
The accepted answer "The server is not listening on loopback interface." does not tell me how to configure the loopback interface.

The Firewalld documentation does not mention localhost or loopback, and 'lo' is only mentioned without description.

My only active zone is public

Code: Select all

$ sudo firewall-cmd --get-active-zones
public
  interfaces: em1
$ sudo firewall-cmd --info-zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: em1
  sources: 
  services: dhcpv6-client ssh
  ports: 8180/tcp 5900/tcp
  protocols: 
  masquerade: no
  forward-ports: port=80:proto=tcp:toport=8180:toaddr=
  sourceports: 
  icmp-blocks: 
  rich rules: 
Should I expect localhost to use a different zone? IIf so, how to I add the interface (is it really named lo?)

I tried:

Code: Select all

$ sudo firewall-cmd --zone=trusted --add-interface=lo
$ sudo firewall-cmd --zone=trusted --add-port=80/tcp
$ sudo firewall-cmd --zone=trusted --add-port=8180/tcp
$ sudo firewall-cmd --zone=trusted --add-forward-port=port=80:proto=tcp:toport=8180
success
$ sudo firewall-cmd --reload
success
$ sudo firewall-cmd --get-active-zones
public
  interfaces: em1
trusted
  interfaces: lo
$ sudo firewall-cmd --info-zone=trusted
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: lo
  sources: 
  services: 
  ports: 80/tcp 8180/tcp
  protocols: 
  masquerade: no
  forward-ports: port=80:proto=tcp:toport=8180:toaddr=
  sourceports: 
  icmp-blocks: 
  rich rules: 
but still http://localhost/ does not work (but http;//localhost:8180 does)
David Biesack
CentOS 7.2

Macenger
Posts: 23
Joined: 2016/10/18 08:29:57

Re: Port forwarding not working on localhost

Post by Macenger » 2017/04/25 11:26:07

Please share the output of:

# lsof -i:80
# lsof -i:8180

davidbiesack
Posts: 13
Joined: 2017/04/19 13:58:39
Contact:

Re: Port forwarding not working on localhost

Post by davidbiesack » 2017/04/25 13:14:30

I don't know why firewall-client was not allowing this to work, but I solved it with:

Code: Select all

	sudo /sbin/iptables -t nat -D OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 8080
	sudo /sbin/iptables -t nat -D PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
	sudo /sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8180
	sudo /sbin/iptables -t nat -I OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 8180
	sudo firewall-cmd --runtime-to-permanent
which is what I had done on my Ubuntu system before switching to CentOS 7.

I've not rebooted yet to ensure the iptables configuration sticks but it does work after doing

Code: Select all

firewall-cmd --reload
Last edited by davidbiesack on 2017/04/25 15:21:17, edited 1 time in total.
David Biesack
CentOS 7.2

davidbiesack
Posts: 13
Joined: 2017/04/19 13:58:39
Contact:

Re: Port forwarding not working on localhost

Post by davidbiesack » 2017/04/25 13:33:28

Correction, my iptables settings do not persist after doing

Code: Select all

sudo firewall-cmd --runtime-to-permanent
sudo firewall-cmd --reload
but I can at least add the iptables commands to a boot script
David Biesack
CentOS 7.2

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Port forwarding not working on localhost

Post by TrevorH » 2017/04/25 16:10:51

You cannot mix and match iptables with firewalld. Firewalld runs as a daemon and "knows" how the rules "should be" and will put them back the way it thinks they ought to be at any time it feels like it. If you add a rule with the iptables command then sooner or later firewalld will notice the rule exists and if it doesn't think it should be there it will remove it.

Work out how to add your rules to firewalld using firewall-cmd or dump firewalld and use iptables-services instead. Do not attempt to use both at the same time or unpredictables results will occur.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

davidbiesack
Posts: 13
Joined: 2017/04/19 13:58:39
Contact:

Re: Port forwarding not working on localhost

Post by davidbiesack » 2017/04/25 16:44:18

ok, sure... but that leaves me without a solution.

Why does

Code: Select all

sudo firewall-cmd --zone=trusted --add-forward-port=port=80:proto=tcp:toport=8180
not work for lo when the same --add-forward-port works for public?
Is something else missing? The man page for firewall-cmd or wiki does not mention 'sourceports' which are empty.

Code: Select all

$ sudo firewall-cmd --permanent --info-zone=trusted
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: lo
  sources: 
  services: 
  ports: 80/tcp 8180/tcp 
  protocols: 
  masquerade: no
  forward-ports: port=80:proto=tcp:toport=8180:toaddr=
  sourceports: 
  icmp-blocks: 
  rich rules: 
Is that important?

I was hoping the out-of-the-box system would work. Without a solution, I'll disable firewalld and revert to iptables.
David Biesack
CentOS 7.2

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Port forwarding not working on localhost

Post by TrevorH » 2017/04/25 16:52:32

I am not a fan of firewalld.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Port forwarding not working on localhost

Post by hunter86_bg » 2017/04/26 17:42:02

I think you can't port forward for localhost. Either switch to iptables or as last resort - direct rules (but remember they are processed before anything else).

davidbiesack
Posts: 13
Joined: 2017/04/19 13:58:39
Contact:

Re: Port forwarding not working on localhost

Post by davidbiesack » 2017/04/26 18:08:47

yes, I switched:

Code: Select all


	sudo yum install iptables-services
	sudo systemctl mask firewalld.service
	sudo systemctl enable iptables.service
	
	# Optional:
	# systemctl enable ip6tables.service
	# Optional: youmay have 80 -> 8080 redirects. if so, -D (delete) them first:
	sudo /sbin/iptables -t nat -D OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 8080
	sudo /sbin/iptables -t nat -D PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
	
	sudo /sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8180
	sudo /sbin/iptables -t nat -I OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 8180
	sudo service iptables save

and now my service is working great.

I reported this as a bug.
David Biesack
CentOS 7.2

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Port forwarding not working on localhost

Post by TrevorH » 2017/04/26 18:19:28

I saw the bug but you need to report that upstream on bugzilla.redhat.com to stand a chance of getting it fixed. As far as CentOS is concerned, bugs are things that don't work the same as in RHEL and if it does, it's not a bug, it's an upstream feature ;-)
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply