firewalld - pass traffic through firewall with firewall-cmd

Support for security such as Firewalls and securing linux
Post Reply
gnpf
Posts: 6
Joined: 2010/03/09 12:08:37

firewalld - pass traffic through firewall with firewall-cmd

Post by gnpf » 2015/07/20 17:44:24

Hi,

I have som problems to understand the iptables konfiguration. I want to forward some traffic through the centos 7 firewall.
There must be no NAT, because all addresses are public addresses.

Setup:
Internet -> LAN A <- |IF:enp0s25<-Centos7 GW-> IF:enp3s2| -> LAN B -> (DMZ)

I try to realize:
a) allow incoming traffic on enp0s25 from any address to LAN_B_IP1/2 (on enp3s2) on Port 80:
b) allow outgoing from $LAN_B_IP3/4 connect to any adresses on port 25.

I'm not shure how it works with firewall-cmd.

THX,
tom

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: firewalld - pass traffic through firewall with firewall-

Post by aks » 2015/07/21 18:04:22

It kind of sounds like you need to use the rich rules syntax see: https://fedoraproject.org/wiki/Features ... chLanguage

A simpler solution is in stead of using the interface name, use the IP addresses of the the interface (so say the address of enp0s25) this also means uf later you change hardware, the firewall can "follow" the hardware change. As a further clue, "any address" is 0.0.0.0/0

gnpf
Posts: 6
Joined: 2010/03/09 12:08:37

Re: firewalld - pass traffic through firewall with firewall-

Post by gnpf » 2015/07/23 09:03:37

I try:

Code: Select all

firewall-cmd --add-rich-rule='rule family="ipv4" source address="0.0.0.0/0" destination address="$LAN_B_IP1" service name="http" accept'
which generate an iptables rule:

Code: Select all

-A IN_public_allow -d $LAN_B_IP1/32 -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
but it does not work.
tcpdump showing only the incoming SYN connection:

Code: Select all

[root@lb1 ~]# tcpdump -npi enp0s25 host  $LAN_B_IP1
11:27:17.083739 IP   x.x.x.x.44946 >  $LAN_B_IP1.http: Flags [S], seq 2033291673, win 29200, options [mss 1460,sackOK,TS val 831795331 ecr 0,nop,wscale 7], length 0
11:27:17.083819 IP x.x.x.x.1.44947 > $LAN_B_IP1.http: Flags [S], seq 1641215505, win 29200, options [mss 1460,sackOK,TS val 831795331 ecr 0,nop,wscale 7], length 0
11:27:17.086700 IP   x.x.x.x.44948 >  $LAN_B_IP1.http: Flags [S], seq 2621696850, win 29200, options [mss 1460,sackOK,TS val 831795334 ecr 0,nop,wscale 7], length 0


Code: Select all

firewall-cmd --get-active-zones
public
  interfaces: enp0s25 enp3s2

Code: Select all

firewall-cmd --zone=public --list-all
public (default, active)
  interfaces: enp0s25 enp3s2
  sources: 
  services: dhcpv6-client high-availability ssh
  ports: 4711/tcp 443/tcp 80/tcp
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="0.0.0.0/0" destination address="$LAN_B_IP1/32" service name="http" accept
(yes, forwarding is on and it works if I turn iptables off)
I dont understand, what happen. :(

gnpf
Posts: 6
Joined: 2010/03/09 12:08:37

Re: firewalld - pass traffic through firewall with firewall-

Post by gnpf » 2015/07/23 10:13:01

If I use:

Code: Select all

firewall-cmd --add-rich-rule='rule family="ipv4" source address="0.0.0.0/0" destination address="$LAN_B_IP1" forward-port to-addr="$LAN_B_IP1" to-port="80" protocol="tcp" port="80"'
firewall-cmd --add-rich-rule='rule family="ipv4" source address="0.0.0.0/0" destination address="$LAN_B_IP2" forward-port to-addr="$LAN_B_IP2" to-port="80" protocol="tcp" port="80"'
I can connect to $LAN_B_IP1, but if if I try $LAN_B_IP2 I will be routed to $LAN_B_IP1. :(

Code: Select all

iptables -t nat -L|grep LAN_B
DNAT       tcp  --  anywhere             anywhere             mark match 0x64 to:$LAN_B_IP1:80
DNAT       tcp  --  anywhere             anywhere             mark match 0x65 to:$LAN_B_IP2:80

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: firewalld - pass traffic through firewall with firewall-

Post by aks » 2015/07/23 17:18:51

firewall-cmd --add-rich-rule='rule family="ipv4" source address="0.0.0.0/0" destination address="$LAN_B_IP1" service name="http" accept'
You don't need a source address here. You certainly don't need "any" address as the packet is already "in" the router - otherwise it could not exit the outbound interface. If you want to put in a source address, the IP address of the exit interface would be more appropriate. The "any" address is generally used to allow packets from a large or not easy to summarize network (like the Internet) inbound access.
-A IN_public_allow -d $LAN_B_IP1/32 -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
This will only allow new connection to the port. From https://help.ubuntu.com/community/IptablesHowTo:
--ctstate - Define the list of states for the rule to match on. Valid states are:
NEW - The connection has not yet been seen.
RELATED - The connection is new, but is related to another connection already permitted.
ESTABLISHED - The connection is already established.
INVALID - The traffic couldn't be identified for some reason
Perhaps restart the firewall and then reconduct your tests?
I can connect to $LAN_B_IP1, but if if I try $LAN_B_IP2 I will be routed to $LAN_B_IP1.
I'm not sure what this means. Do you mean you don't have load balancing across your two IP addresses connected to a single network?
iptables -t nat -L|grep LAN_B
DNAT tcp -- anywhere anywhere mark match 0x64 to:$LAN_B_IP1:80
DNAT tcp -- anywhere anywhere mark match 0x65 to:$LAN_B_IP2:80
I though you didn't want to use NAT?

gnpf
Posts: 6
Joined: 2010/03/09 12:08:37

Re: firewalld - pass traffic through firewall with firewall-

Post by gnpf » 2015/07/24 07:18:54

-A IN_public_allow -d $LAN_B_IP1/32 -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
This is not enough, traffic is still blocked.


Code: Select all

iptables -t nat -L|grep LAN_B
DNAT       tcp  --  anywhere             anywhere             mark match 0x64 to:$LAN_B_IP1:80
DNAT       tcp  --  anywhere             anywhere             mark match 0x65 to:$LAN_B_IP2:80
I though you didn't want to use NAT?
Forget this rule, it was just a test and yes I dont need NAT.

I can connect to $LAN_B_IP1, but if if I try $LAN_B_IP2 I will be routed to $LAN_B_IP1
I'm not sure what this means. Do you mean you don't have load balancing across your two IP addresses connected to a single network?.
The only thing I want is to reach directly the 2 (or n) webserver behind the centos 7 box from outside. No NAT, just plain routing through.

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: firewalld - pass traffic through firewall with firewall-

Post by aks » 2015/07/24 17:55:37

Okay, let's put some IP addresses on this - you don't have to use your real addresses but it maybe easier if you use the same subnet masks as you plan to.

Also please provide output of:

ip addr sh

ip route sh

iptables -L

firewall-cmd --list-all

A list of any network devices between both endpoints.

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: firewalld - pass traffic through firewall with firewall-

Post by aks » 2015/07/24 18:04:24

And also ss -ant | grep 80 # on the target machine just to confirm we have a listener there

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: firewalld - pass traffic through firewall with firewall-

Post by aks » 2015/07/24 18:05:47

The order of rules in iptables is significant. When a rule is matched the processor will not compare others. That is why I want to see your current chains.

Post Reply