Why is firewalld blocking my opened ports?!?

[crabanus]

Hi experts,

I'm struggling with allowing traffic to the inside of my network. I've a router with CentOS 7.3 and firewalld installed. ens160 is the internal interface (zone internal), ens192 the external (zone external). There are no other interfaces. I don't want NAT, I just want to route some traffic from outside to the inside (e.g. SSH or RDP). So I've turned off masquerading at the external zone.

Inside I have a windows box with IP 192.168.2.110, RDP enabled. From outside (IP 192.168.1.29) I'm trying to connect to the RDP, but the traffic is blocked. I've activated logging, so in my messages I find the following:

Apr 5 09:13:22 mgt-nbudc kernel: FINAL_REJECT: IN=ens160 OUT=ens192 MAC=00:50:56:a5:70:7a:50:7b:9d:66:5f:1e:08:00 SRC=192.168.1.29 DST=192.168.2.110 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=27822 DF PROTO=TCP SPT=46538 DPT=3389 WINDOW=29200 RES=0x00 SYN URGP=0

OK, port 3389/TCP is blocked. I added this port to my list of open ports, the rule list for the external zone looks like this:

external (active)
target: default
icmp-block-inversion: no
interfaces: ens160
sources:
services: ftp http https ssh
ports: 1556/tcp 3389/udp 902/tcp 10000/tcp 177/udp 7100/tcp 3389/tcp 6000-6005/tcp 5904-5905/tcp
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

The config of the internal zone is the following:

internal (active)
target: default
icmp-block-inversion: no
interfaces: ens192
sources:
services: dhcp dns ftp http https iscsi-target mdns mountd nfs rpc-bind samba samba-client ssh tftp
ports: 1556/tcp 20048/tcp 3389/udp 6000-6005/tcp 42955/tcp 54302/tcp 46666/tcp 177/udp 875/tcp 7100/tcp 3389/tcp 2049/tcp 5904-5905/tcp 111/tcp
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

No success - traffic is still blocked, I get the same message about the reject as before.

When I turn off the firewall, everything is working as expected (so basically routing is working, RDP is correctly enabled, etc.). But when I turn the firewall back on, I don't get the connection.

By the way, SSH is also not working when I try to connect form the outside to the inside, same problem. But ICMP (e.g. ping) is working.

What do I miss? Why is't this working?

Thanx for advice and best regards,
Christian

[aks]

I don't really understand. Is "external" the Internet? It usually is. What is this scenario? Is it an internal (i.e.: some network you/your company 100% controls)? Or are we talking traversing the Internet in any manner?

[crabanus]

Sorry for not describing the setting detailed enough...

The setting is:

The Internet <- NAT-Router with port forwarding -> Zone "external" (subnet 192.168.1.0/24, VLAN 1) <- CentOS 7 Router with firewalld and routing problems -> Zone "Internal" (subnet 192.168.2.9/24, VLAN 2)

Hosted in zone "internal" is a training environment, which is accessed from the internet via a system in zone "external", which runs an X2Go server (in case you are not familiar with this technology: it acts like a terminal server from MS) . This X2Go server is multihomed, has one interface in zone "internal" and one in zone "external". The clients using this training environment access the zone "internal" via the X2Go server, so zone "external" is completely transparent for them (and with the client access everything is fine).

But for maintenance, control, etc. I'm logging into zone "external" via the internet. Then I want to access the systems in zone "internal" from systems located in zone "external". So basically the fact, that I'm accessing the whole environment via the internet, does not play any role for my problem. It would be the same if I cut it off completely from the internet. I find myself on a system in zone "external" and want to access systems in zone "internal", it's such as simple.

Port forwarding is not an option here, because I want to be able to access any system in zone "internal" (it's a virtual environment with round about 100 VMs), eventuelly with different services (SSH, RDP, FTP, HTTP, ...). Further more I'm running a backup infrastrcture in zone "external", which has to back up systems in zone "internal" - which is not possible via a NAT router, so also natting/masquerading is not an option.

I quite simply just want to route between the two two different subnets (which works fine, when I turn off the firewall) and allow only specific types of traffic to be sent over the router (that's the reason why I have activated the firewall).

I hope, this clarifies the setting. As far as I understand my configuration, it should work. And even after several hours of investigation I don't understand the simple fact, that the firewall on the CentOS-System rejects a packet which uses a port, which I have allowed in the configuration (e.g. port 22 or port 3389). I must have missed a quite basic point, but I don't see it...

Any help very appreciated!

Christian

[hunter86_bg]

As you have described , you want to forward all incoming traffic on the external zone , on port 3389/TCP and exit the CentOS7 box through the internal zone to a windows machine,is that right ?

If it's so , why aren't you using port forwarding?
Please keep a note, that it could be done in general or via richrule.

Code: Select all

firewall-cmd --permanent --zone=external \
--add-forward-port=3389:proto=tcp:toport=3389:toaddr=<win_ip_with_prefix_or_mask>

or

Code: Select all

firewall-cmd --permanent --zone=external --add-rich-rule='rule family="ipv4"  \
source address="ip/net_of_source_with_prefix" forward-port="3389" \
protocol="tcp" to-port="3389" to-address="<win_ip_with_prefix_or_mask>"' 

And then reload.
Also you need masquerade, otherwise the packages from the windows box will never go back through the CentOS.Don't forget the "net.ipv4.ip_forward".

[crabanus]

Thank you for the reply, but as I already explained, port forwarding and natting is not an option in my environment - and it's not a solution for my problem. Without the firewall routing is working the way I expect it to work.

I'm looking for a working configuration for my firewall - especially: Why is the firewall blocking traffic on a port, for wich I have defined a rule? Anyone has any idea which setting I have forgotten here?

[aks]

I agree with you, that seems to be most illogical. Having a quick look at the Fedora firewalld page says:

external
For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

I wonder if it's something to do with the zone name. Perhaps create two new zones (fred and dead for example) and assign rules to them, or I guess you could just use the "trusted" zone. See https://fedoraproject.org/wiki/Firewalld?rd=FirewallD

It's a bit of a guess....

[crabanus]

Thank you for the proposal to create new zones - it was worth a try. But, unfortunately, even with two brand new zones it didn't work. My config in nuce is like this (i defined all the services from external und internal respectively in the new zones):

zone application -> service ssh, (other services), (some ports), interface ens160, subnet 192.168.4.0/24
zone infrastructure -> service ssh, (other services), (some ports), interface ens192, subnet 192.168.1.0/24

ssh from 192.168.1.29 to 192.168.4.11 WITH firewall enabled -> ssh_exchange_identification: read: Connection reset by peer
ssh from 192.168.1.29 to 192.168.4.11 WITHOUT firewall enabled -> connection will is established without any problems

Obviously, the firewall is still blocking the connection. IMHO also with firewall enabled, the ssh connection should work. What is wrong here?

[hunter86_bg]

Did you enable masquerade for zone 'infrastructure'?
Otherwise run 2 separate traces (for each interface) via tcpdump/tshark and examine the output.I'm pretty convinced that the firewall is not allowing the response from the ssh server.

Edit: What is the output of ssh -vvv ?