Hi :)
I have some LXC containers running on a server and I want to forward a port to each of their SSH ports( Fedora 20, firewalld 0.3.9.2). After fiddling with firewall-cmd for several hours now, I am still nowhere near working solution.
I have my external interface in the public zone. I enabled the masquerading on public :
$ firewall-cmd --zone=public --add-masquerade
and I am using the following for forwarding the port :
$ firewall-cmd --zone=public --add-forward-port=port=22822:proto=tcp:toport=22:toaddr=192.168.122.11
The zone status after that is :
public (default, active) interfaces: p7p1 sources: services: dhcpv6-client http https mdns ssh ports: masquerade: yes forward-ports: port=22822:proto=tcp:toport=22:toaddr=192.168.122.11 icmp-blocks: rich rules:
But ssh on port 22822 is still not possible. There is a change though. Without the forward rule nmap shows the port as "filtered", and after applying it it is shown as "closed" . I thought maybe there is something wrong with the routing, so I tried a simpler example :
$ firewall-cmd --zone=public --add-forward-port=port=8888:proto=tcp:toport=22:toaddr=127.0.0.1
to forward port 8888 to port 22 on loop back interface. SSH is enabled to listen on the lo interface, but I still get the same result if I try to connect on port 8888.
And if I don't specify destination address :
$ firewall-cmd --zone=public --add-forward-port=port=8888:proto=tcp:toport=22
Forwarding is working as expected.
Am I missing something, or doing something wrong ? Similar example is shown in the documentation at http://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/sec-Config.... Is there something I need to enable on the target interfaces, for the forwarding to work ?
I really find firewallD very nice idea, but this is very frustrating ...
Cheers, Zaro
On 01/22/2014 11:41 PM, Svetlozar Argirov wrote:
Hi :)
I have some LXC containers running on a server and I want to forward a port to each of their SSH ports( Fedora 20, firewalld 0.3.9.2). After fiddling with firewall-cmd for several hours now, I am still nowhere near working solution.
I have my external interface in the public zone. I enabled the masquerading on public :
$ firewall-cmd --zone=public --add-masquerade
and I am using the following for forwarding the port :
$ firewall-cmd --zone=public --add-forward-port=port=22822:proto=tcp:toport=22:toaddr=192.168.122.11
The zone status after that is :
public (default, active) interfaces: p7p1 sources: services: dhcpv6-client http https mdns ssh ports: masquerade: yes forward-ports: port=22822:proto=tcp:toport=22:toaddr=192.168.122.11 icmp-blocks: rich rules:
With masquerading enabled the port/packet forwarding should be working.
But ssh on port 22822 is still not possible. There is a change though. Without the forward rule nmap shows the port as "filtered", and after applying it it is shown as "closed" . I thought maybe there is something wrong with the routing, so I tried a simpler example :
$ firewall-cmd --zone=public --add-forward-port=port=8888:proto=tcp:toport=22:toaddr=127.0.0.1
to forward port 8888 to port 22 on loop back interface. SSH is enabled to listen on the lo interface, but I still get the same result if I try to connect on port 8888.
And if I don't specify destination address :
$ firewall-cmd --zone=public --add-forward-port=port=8888:proto=tcp:toport=22
Forwarding is working as expected.
You are forwarding to another machine. Is the port you are forwarding to open in this machine or filtered?
Please also use a network sniffer on the destination machine to verify that the packages are sent there.
Which firewalld version are you using? There has been a problem in the 0.3.9 version with persistent port forwarding rules that should be solved soon: https://bugzilla.redhat.com/show_bug.cgi?id=1056154
Am I missing something, or doing something wrong ? Similar example is shown in the documentation at http://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/sec-Config... . Is there something I need to enable on the target interfaces, for the forwarding to work ?
I really find firewallD very nice idea, but this is very frustrating ...
Cheers, Zaro
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
Regards, Thomas
firewalld-users@lists.fedorahosted.org