I'm trying to define 2 zones, one being a subset of another. I'd like to allow a range of ports to the wider zone, and then some additional ports to the narrower zone. When I try to do this, I get "Unable to connect to remote host: No route to host". If I look at the underlying iptables, it seems to follow the wider chain, but never goes back to try the narrower chain.
Here's what I did. I'm just using port 111/tcp as a test, since this is a brand new host and 111 and 22 are the only listening ports.
To start, verify that I can't connect to 111:
aculver@aculver ~ $ telnet jiradev.its.uwo.ca 111 Trying 129.100.58.223... telnet: Unable to connect to remote host: No route to host
Create the wider zone for our network and allow 111
[root@jiradev aculver]# firewall-cmd --permanent --new-zone=uwo success [root@jiradev aculver]# firewall-cmd --permanent --zone=uwo --add-source= 129.100.0.0/16 success [root@jiradev aculver]# firewall-cmd --permanent --zone=uwo --add-port=111/tcp success [root@jiradev aculver]# firewall-cmd --reload success
aculver@aculver ~ $ telnet jiradev.its.uwo.ca 111 Trying 129.100.58.223... Connected to jiradev.its.uwo.ca. Escape character is '^]'.
Now add a narrower zone, which will represent our department's administrative workstations
[root@jiradev aculver]# firewall-cmd --permanent --new-zone=net6 success [root@jiradev aculver]# firewall-cmd --permanent --zone=net6 --add-source= 129.100.6.0/24 success [root@jiradev aculver]# firewall-cmd --reload
aculver@aculver ~ $ telnet jiradev.its.uwo.ca 111 Trying 129.100.58.223... telnet: Unable to connect to remote host: No route to host
I would think that the uwo zone should still apply, since I'm still connecting from a host defined in the source of that zone. But as soon as I create this second zone and give it a (narrower) source that also matches the IP that I'm connecting from, it seems to use only that zone, ignoring the first zone with the broader source.
Am I doing something wrong? How can I make this work?
I've tried to search for a solution to this, but without any error messages or having any keywords to search on, it's hard to even find others who have run into this problem. A coworker of mine has also run into this same problem, so I can't be the first.
Here's the resulting config (the rich rules are from our default build scripts. We'd like to replace them with zones if we can solve this current problem):
[root@jiradev aculver]# firewall-cmd --zone=uwo --list-all uwo (active) target: default icmp-block-inversion: no interfaces: sources: 129.100.0.0/16 services: ports: 111/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [root@jiradev aculver]# firewall-cmd --zone=net6 --list-all net6 (active) target: default icmp-block-inversion: no interfaces: sources: 129.100.6.0/24 services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [root@jiradev aculver]# iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N FORWARD_IN_ZONES -N FORWARD_IN_ZONES_SOURCE -N FORWARD_OUT_ZONES -N FORWARD_OUT_ZONES_SOURCE -N FORWARD_direct -N FWDI_net6 -N FWDI_net6_allow -N FWDI_net6_deny -N FWDI_net6_log -N FWDI_public -N FWDI_public_allow -N FWDI_public_deny -N FWDI_public_log -N FWDI_uwo -N FWDI_uwo_allow -N FWDI_uwo_deny -N FWDI_uwo_log -N FWDO_net6 -N FWDO_net6_allow -N FWDO_net6_deny -N FWDO_net6_log -N FWDO_public -N FWDO_public_allow -N FWDO_public_deny -N FWDO_public_log -N FWDO_uwo -N FWDO_uwo_allow -N FWDO_uwo_deny -N FWDO_uwo_log -N INPUT_ZONES -N INPUT_ZONES_SOURCE -N INPUT_direct -N IN_net6 -N IN_net6_allow -N IN_net6_deny -N IN_net6_log -N IN_public -N IN_public_allow -N IN_public_deny -N IN_public_log -N IN_uwo -N IN_uwo_allow -N IN_uwo_deny -N IN_uwo_log -N OUTPUT_direct -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j INPUT_direct -A INPUT -j INPUT_ZONES_SOURCE -A INPUT -j INPUT_ZONES -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -j FORWARD_direct -A FORWARD -j FORWARD_IN_ZONES_SOURCE -A FORWARD -j FORWARD_IN_ZONES -A FORWARD -j FORWARD_OUT_ZONES_SOURCE -A FORWARD -j FORWARD_OUT_ZONES -A FORWARD -m conntrack --ctstate INVALID -j DROP -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -j OUTPUT_direct -A FORWARD_IN_ZONES -i ens160 -g FWDI_public -A FORWARD_IN_ZONES -g FWDI_public -A FORWARD_IN_ZONES_SOURCE -s 129.100.6.0/24 -g FWDI_net6 -A FORWARD_IN_ZONES_SOURCE -s 129.100.0.0/16 -g FWDI_uwo -A FORWARD_OUT_ZONES -o ens160 -g FWDO_public -A FORWARD_OUT_ZONES -g FWDO_public -A FORWARD_OUT_ZONES_SOURCE -d 129.100.6.0/24 -g FWDO_net6 -A FORWARD_OUT_ZONES_SOURCE -d 129.100.0.0/16 -g FWDO_uwo -A FWDI_net6 -j FWDI_net6_log -A FWDI_net6 -j FWDI_net6_deny -A FWDI_net6 -j FWDI_net6_allow -A FWDI_net6 -p icmp -j ACCEPT -A FWDI_public -j FWDI_public_log -A FWDI_public -j FWDI_public_deny -A FWDI_public -j FWDI_public_allow -A FWDI_public -p icmp -j ACCEPT -A FWDI_uwo -j FWDI_uwo_log -A FWDI_uwo -j FWDI_uwo_deny -A FWDI_uwo -j FWDI_uwo_allow -A FWDI_uwo -p icmp -j ACCEPT -A FWDO_net6 -j FWDO_net6_log -A FWDO_net6 -j FWDO_net6_deny -A FWDO_net6 -j FWDO_net6_allow -A FWDO_public -j FWDO_public_log -A FWDO_public -j FWDO_public_deny -A FWDO_public -j FWDO_public_allow -A FWDO_uwo -j FWDO_uwo_log -A FWDO_uwo -j FWDO_uwo_deny -A FWDO_uwo -j FWDO_uwo_allow -A INPUT_ZONES -i ens160 -g IN_public -A INPUT_ZONES -g IN_public -A INPUT_ZONES_SOURCE -s 129.100.6.0/24 -g IN_net6 -A INPUT_ZONES_SOURCE -s 129.100.0.0/16 -g IN_uwo -A IN_net6 -j IN_net6_log -A IN_net6 -j IN_net6_deny -A IN_net6 -j IN_net6_allow -A IN_net6 -p icmp -j ACCEPT -A IN_public -j IN_public_log -A IN_public -j IN_public_deny -A IN_public -j IN_public_allow -A IN_public -p icmp -j ACCEPT -A IN_public_allow -s 172.20.0.0/22 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -s 172.29.17.38/32 -p udp -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -s 129.100.3.110/32 -p udp -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -s 129.100.254.11/32 -p udp -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -s 129.100.254.10/32 -p udp -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -s 172.29.17.38/32 -p icmp -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -s 129.100.3.116/32 -p tcp -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -s 129.100.6.0/26 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -s 129.100.254.233/32 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -s 129.100.254.10/32 -p tcp -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -s 129.100.254.11/32 -p tcp -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -s 129.100.6.192/27 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -s 172.29.17.37/32 -p icmp -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -s 129.100.3.116/32 -p udp -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -s 129.100.254.11/32 -p icmp -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -s 129.100.254.10/32 -p icmp -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -s 129.100.3.110/32 -p tcp -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -s 172.29.17.37/32 -p tcp -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -s 172.29.17.37/32 -p udp -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -s 172.29.17.38/32 -p tcp -m conntrack --ctstate NEW -j ACCEPT -A IN_uwo -j IN_uwo_log -A IN_uwo -j IN_uwo_deny -A IN_uwo -j IN_uwo_allow -A IN_uwo -p icmp -j ACCEPT -A IN_uwo_allow -p tcp -m tcp --dport 111 -m conntrack --ctstate NEW -j ACCEPT
Thanks, Andrew