Why isn't the port being forwarded by Firewalld?

H

HighMan2020-01-03 01:39:23

firewall

HighMan, 2020-01-03 01:39:23

Good time, comrades!
Something I can not figure out with port forwarding in firewalld. Everything seems to be correct, but it doesn't work :)

#cat /proc/sys/net/ipv4/ip_forward
1
# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp6s0
  sources: 
  services: dhcpv6-client
  ports: 22/tcp
  protocols: 
  masquerade: yes
  forward-ports: port=7000:proto=tcp:toport=3389:toaddr=192.168.13.168
  source-ports: 
  icmp-blocks: 
  rich rules:

It seems that masquerading is enabled and when accessing server port 7000, port forwarding to 192.168.13.168:3389 should occur. Those. on rdp but doesn't work. Tell me what I did wrong?
Thanks in advance.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

D

Dmitry, 2020-01-03
@q2digger

and 192.168.13.168 knows where to send the packet back? Does he have a route to the client? if the picture above is not with default gateway , then you also need to add a SNAT rule.

H

HighMan, 2020-01-03
@HighMan

I apologize that the question is put more than generally. I will clarify.
There is a certain leased server, let its ip=1.1.1.1.
It has Centos7 on it. This server drags several virtual machines (qemu-kvm, libvirt).
Virtual machines live behind NAT, address range: 192.168.13.0/24 (virbr0)
Virtual machines can access the Internet and they are, at the moment, doing it well.
I need to forward a port from internet to "local network" for VM 192.168.13.168 (1.1.1.1:7000 -> 192.168.13.168:3389).
The rule itself seems to be written correctly, but I seem to have not completed something with the zones. So far, I've only been picking the public zone, and it has the only enp6s0 interface.

# firewall-cmd --list-all-zones
block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
  

dmz
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
  

drop
  target: DROP
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
  

external
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
  

home
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
  

internal
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
  

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp6s0
  sources: 
  services: dhcpv6-client ssh
  ports: 219/tcp
  protocols: 
  masquerade: yes
  forward-ports: port=7000:proto=tcp:toport=3389:toaddr=192.168.13.168
  source-ports: 
  icmp-blocks: 
  rich rules: 
  

trusted
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
  

work
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

I suspect that in order to forward the port, something needs to be done with the zones. In my opinion, virbr0 needs to be added to some zone.
But here I am lost. All the same, for me, firewalld is an unfamiliar thing.
So: Help!
No. Not this way.
Heeeeeelp me please!!!!)