Hi :)
I have some LXC containers running on a server and I want to forward a port to each of their SSH ports( Fedora 20, firewalld 0.3.9.2). After fiddling with firewall-cmd for several hours now, I am still nowhere near working solution.
I have my external interface in the public zone. I enabled the masquerading on public :
$ firewall-cmd --zone=public --add-masquerade
and I am using the following for forwarding the port :
$ firewall-cmd --zone=public --add-forward-port=port=22822:proto=tcp:toport=22:toaddr=192.168.122.11
The zone status after that is :
public (default, active) interfaces: p7p1 sources: services: dhcpv6-client http https mdns ssh ports: masquerade: yes forward-ports: port=22822:proto=tcp:toport=22:toaddr=192.168.122.11 icmp-blocks: rich rules:
But ssh on port 22822 is still not possible. There is a change though. Without the forward rule nmap shows the port as "filtered", and after applying it it is shown as "closed" . I thought maybe there is something wrong with the routing, so I tried a simpler example :
$ firewall-cmd --zone=public --add-forward-port=port=8888:proto=tcp:toport=22:toaddr=127.0.0.1
to forward port 8888 to port 22 on loop back interface. SSH is enabled to listen on the lo interface, but I still get the same result if I try to connect on port 8888.
And if I don't specify destination address :
$ firewall-cmd --zone=public --add-forward-port=port=8888:proto=tcp:toport=22
Forwarding is working as expected.
Am I missing something, or doing something wrong ? Similar example is shown in the documentation at http://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/sec-Config.... Is there something I need to enable on the target interfaces, for the forwarding to work ?
I really find firewallD very nice idea, but this is very frustrating ...
Cheers, Zaro