Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
H
H
HighMan2020-01-03 01:39:23
firewall
HighMan, 2020-01-03 01:39:23

Why isn't the port being forwarded by Firewalld?

Good time, comrades!
Something I can not figure out with port forwarding in firewalld. Everything seems to be correct, but it doesn't work :)

#cat /proc/sys/net/ipv4/ip_forward
1
# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp6s0
  sources: 
  services: dhcpv6-client
  ports: 22/tcp
  protocols: 
  masquerade: yes
  forward-ports: port=7000:proto=tcp:toport=3389:toaddr=192.168.13.168
  source-ports: 
  icmp-blocks: 
  rich rules:

It seems that masquerading is enabled and when accessing server port 7000, port forwarding to 192.168.13.168:3389 should occur. Those. on rdp but doesn't work. Tell me what I did wrong?
Thanks in advance.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
D
Dmitry, 2020-01-03
@q2digger

and 192.168.13.168 knows where to send the packet back? Does he have a route to the client? if the picture above is not with default gateway , then you also need to add a SNAT rule.

Report
H
HighMan, 2020-01-03
@HighMan

I apologize that the question is put more than generally. I will clarify.
There is a certain leased server, let its ip=1.1.1.1.
It has Centos7 on it. This server drags several virtual machines (qemu-kvm, libvirt).
Virtual machines live behind NAT, address range: 192.168.13.0/24 (virbr0)
Virtual machines can access the Internet and they are, at the moment, doing it well.
I need to forward a port from internet to "local network" for VM 192.168.13.168 (1.1.1.1:7000 -> 192.168.13.168:3389).
The rule itself seems to be written correctly, but I seem to have not completed something with the zones. So far, I've only been picking the public zone, and it has the only enp6s0 interface.

# firewall-cmd --list-all-zones
block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
  

dmz
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
  

drop
  target: DROP
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
  

external
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
  

home
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
  

internal
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
  

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp6s0
  sources: 
  services: dhcpv6-client ssh
  ports: 219/tcp
  protocols: 
  masquerade: yes
  forward-ports: port=7000:proto=tcp:toport=3389:toaddr=192.168.13.168
  source-ports: 
  icmp-blocks: 
  rich rules: 
  

trusted
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
  

work
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

I suspect that in order to forward the port, something needs to be done with the zones. In my opinion, virbr0 needs to be added to some zone.
But here I am lost. All the same, for me, firewalld is an unfamiliar thing.
So: Help!
No. Not this way.
Heeeeeelp me please!!!!)

Similar questions
M
Magi2015-05-02 22:46:56
Do I need a firewall on my home web server behind a router? 3Reply
Y
Yuri Yerusalimsky2017-04-24 18:41:26
What program would you recommend for raising a firewall on a local network with a server running Windows 7 Pro? 6Reply
Y
Yu Yu2017-05-10 19:44:23
How to block a website on OpenSUSE Linux? 1Reply
H
Hyde01052021-05-05 13:59:50
What can be done with windows 10 to reduce the amount of leaking traffic? 7Reply
S
Sergey Kuvshinov2015-07-02 14:24:11
Why does DNS stop working when a client connects to the PFSENSE L2TP VPN server? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question