Firewall not passing traffic on open port

Support for security such as Firewalls and securing linux
mmartinell
Posts: 2
Joined: 2018/03/14 13:30:42

Firewall not passing traffic on open port

Postby mmartinell » 2018/03/14 13:41:10

I seem to have somehow broken my firewalld on CentOS 7. I am running NGINX, serving a site on port 80, which it has been happily doing for several months. The instant I turn the firewall off, the site immediately loads on the client. When I turn the firewall back on, the site is immediately not accessible. I have confirmed that my interface is in the public zone and that the zone has both port 80 and the http service. Other traffic, like ssh and mysql, pass just fine with the firewall on to the same client. I have tried multiple clients.

The only thing I can think of that changed was that I did a "yum remove perl/ yum install perl" while I was troubleshooting a perl issue. I'm not sure how that could at all be related, but it's the only event that happened before this stopped working.

What am I missing?

Here is my firewall config:

Code: Select all

[root@mirror ~]# firewall-cmd --get-active-zones
public
interfaces: ens192

[root@mirror ~]# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens192
sources:
services: dhcpv6-client ssh http nfs mountd rpc-bind ntp mysql https
ports: 3128/tcp 80/tcp
protocols:
masquerade: yes
forward-ports: port=80roto=tcp:toport=3128:toaddr=172.20.3.149
source-ports:
icmp-blocks:
rich rules:


I can also confirm through iptables that this properly open.

Code: Select all

[root@mirror ~]# iptables-save | grep 80
-A PRE_public_allow -p tcp -m tcp --dport 80 -j MARK --set-xmark 0x64/0xffffffff
-A IN_public_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT


Note: I posted this previously to linuxquestions, but did not receive any responses, so I am trying here.

User avatar
TrevorH
Forum Moderator
Posts: 22285
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Firewall not passing traffic on open port

Postby TrevorH » 2018/03/14 15:45:12

Why do you have forwarding rules for port 80 to 172.20.3.149 and also allow port 80 in the INPUT chain? Is your nginx on the same server as firewalld and do you really need to forward packets to it?
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

mmartinell
Posts: 2
Joined: 2018/03/14 13:30:42

Re: Firewall not passing traffic on open port

Postby mmartinell » 2018/03/14 16:34:12

Sometimes all it takes is a second set of eyes, as removing that did the trick.

For reference:

Code: Select all

firewall-cmd --permanent --zone=public --remove-forward-port=port=80:proto=tcp:toport=3128:toaddr=172.20.3.149
firewall-cmd --reload


Thanks!