LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 07-14-2016, 10:12 PM   #1
GaWdLy
Member
 
Registered: Feb 2013
Location: San Jose, CA
Distribution: RHEL/CentOS/Fedora
Posts: 457

Rep: Reputation: Disabled
firewalld help: trying to forward https from kvm host to kvm guest on same port


Hello All!

Never been very good with iptables, and I'm running my head into a wall over and over on this one.

I am trying to access a webpage from my laptop (or any other machine), to a management webpage on a kvm guest. It looks like this:

Client (192.168.1.x:443) --> KVM Host (192.168.1.x:443) --> KVM guest (192.168.122.x:443)

I've tried to use the port-forwarding rules in firewall-cmd, and I'm just not quite getting something right. I can easily use lynx to bring up the management portal from the KVM host, but from a client machine, it's a no-go.

Here are the rules on the KVM host:

~~~
# firewall-cmd --zone=FedoraServer --list-all
FedoraServer (active)
target: default
icmp-block-inversion: no
interfaces: enp0s20f0
sources:
services: cockpit dhcpv6-client http https ssh vnc-server
ports: 5900/tcp 80/tcp
protocols:
masquerade: yes
forward-ports: port=80roto=tcp:toport=80:toaddr=192.168.122.176
port=443roto=tcp:toport=443:toaddr=192.168.122.176
sourceports:
icmp-blocks:
rich rules:
~~~

Here's nmap on the KVM host:

~~~
# nmap -P0 192.168.122.176

Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-14 19:04 PDT
Nmap scan report for 192.168.122.176
Host is up (0.00048s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp open ssh
443/tcp open https
MAC Address: 52:54:00:8D:F3:09 (QEMU virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 16.26 seconds
~~~

Here's an nmap from the host to itself:

~~~
# nmap -P0 localhost

Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-14 19:06 PDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000036s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
5902/tcp open vnc-2
9090/tcp open zeus-admin

Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
~~~

So you can see that in spite of supposedly allowing 80 and 443, the port is still filtered.

I'm not exactly sure what I'm missing here, but I'm sure it's glaringly obvious to others.

Thanks for your time.
 
Old 07-15-2016, 05:07 AM   #2
tshikose
Member
 
Registered: Apr 2010
Location: Kinshasa, Democratic Republic of Congo
Distribution: RHEL, Fedora, CentOS
Posts: 525

Rep: Reputation: 95
Hi,

I faced similar problem, and I will try to expose what I had done to solve it. I am supposing that you are using native and default KVM configuration.

KVM creates out of firewalld control some special iptables rules that enable the guests to communicate between them, enable the host through its interface in the virtual bridge to communicate with the guests, and disallow anything else. Those rules being added at the beginning, everything you do afterwards with firewall-cmd command appears after and has no effect. Look at the REJECT target I put in bold in the extract below.

Code:
# iptables -t filter -S FORWARD
-P FORWARD ACCEPT
-A FORWARD -d 192.168.0.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
To solve your problem you need to add few iptables rules in a similar out of firewalld control manner.

Code:
sudo iptables -t filter -I FORWARD -d <your guest IP in 192.168.122.x network>/32 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
sudo iptables -t nat -A PREROUTING -i <your host interface in 192.168.1.x network> -p tcp --dport 443 -j DNAT --to <your guest IP in 192.168.122.x network>:443
Note that the iptables rule in filter forward table inserts at the beginning of the stack, and so before the KVM rejecting rules.

It will then depend on you to decide when to enable those extra iptables rules. Me, I had preferred to launch and enable them on will and when needed. So I have create a script with those iptables rules prefixed with sudo for my normal user to enable them when I need them.

One more thing, you will not be able to access the service from your host on the socket <your host IP in 192.168.1.x network>:443. From the host you will still need to access it on <your guest IP in 192.168.122.x network>:443. But from the client you should be able to access on <your host IP in 192.168.1.x network>:443.

Last edited by tshikose; 07-15-2016 at 02:14 PM. Reason: few typos
 
1 members found this post helpful.
Old 07-15-2016, 10:06 AM   #3
GaWdLy
Member
 
Registered: Feb 2013
Location: San Jose, CA
Distribution: RHEL/CentOS/Fedora
Posts: 457

Original Poster
Rep: Reputation: Disabled
Tshimanga: that is exactly what I needed. Once I put the iptables rule in place, I was good to go.

I think we're in a weird spot with firewall-cmd and iptables, since it's not obvious to the user that there's an iptables rule blocking a firewall-cmd configuration. I wonder if/when they'll make this easier.

Thank you so much for your time on this. I was seriously spinning my wheels.

Funny thing about our backgrounds, I am also an ITIL v3 Foundation and RHCE holder.
 
Old 07-15-2016, 02:28 PM   #4
tshikose
Member
 
Registered: Apr 2010
Location: Kinshasa, Democratic Republic of Congo
Distribution: RHEL, Fedora, CentOS
Posts: 525

Rep: Reputation: 95
Hi GaWdLy,

You're welcome.
It is good to know not being alone with my geek thing being certified.

While iptables was (and still is) a fantastic tool, it had been reputed difficult to use. I disagree with that assertion.
But still firewalld had been brought in to bring systemd service management way and to ease and facilitate the firewalling on Linux.

I think it will be needed to give more power and possibilities to the firewall-cmd command than what is actually possible with the --direct option.
The command seems to lack a capability of ordering and fixing at which rank rules are added the stack.
firewalld seems to come with its own fixed ordering in the stacks that you cannot (easily) alter.
Fortunately there is still the old good iptables command.

PS: I've corrected few typos in my previous post.
 
Old 07-15-2016, 03:27 PM   #5
GaWdLy
Member
 
Registered: Feb 2013
Location: San Jose, CA
Distribution: RHEL/CentOS/Fedora
Posts: 457

Original Poster
Rep: Reputation: Disabled
Yes, thankfully, they saw fit to leave iptables in place for just these types of issues.

I'm still working some kinks out on my end over here, but hopefully those are the only rules that are causing problems. Once I put them in place, I was able to get to the web interface immediately.

Thanks again.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Kernel-based Virtual Machine (KVM): Switching from KVM guest to host (e.g. Linux Mint) & maximize guest screen fanoflq Linux - Newbie 2 07-13-2016 07:10 PM
Presenting logical volume from host to KVM guest. Partition within guest? batfastad Linux - Server 2 07-27-2015 04:53 PM
Redirect logs from KVM guest to KVM host essential1 Linux - Virtualization and Cloud 2 10-08-2013 04:29 PM
accessing a KVM guest from outside the host rootaccess Linux - General 2 04-28-2013 12:29 AM
LXer: Set up Spicevmc Channel on Ubuntu 11.04 as KVM Server and spice-vdagent as a KVM guest LXer Syndicated Linux News 0 06-15-2011 08:10 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 10:57 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration