LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 08-10-2016, 08:47 PM   #1
TheDerf
LQ Newbie
 
Registered: Feb 2009
Posts: 21

Rep: Reputation: 0
Is it Firewalld, or is it me!


I skimmed the forums, albeit not as throughly as I could, looking for a solution to my problem. I think that maybe I have been looking at this too long and now it is all a jumble of "># ~ / - zlkjalskhdf ". I'm currently trying to set up a VM on a KVM host that will act as a game server. I'm worried that I've wasted my time trying to force it through/ learning on the way and would appreciate a fresh set of eyes. Thanks for any looks.


The current network/Firewalld setup is as follows.
(last oct removed due to tinfoil hat)


Phisical interface of Host:

enp3s0f0:
<BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 1c:c1:de:e5:ed:dc brd ff:ff:ff:ff:ff:ff
inet 207.188.214.x/29 brd 207.188.214.x scope global enp3s0f0
valid_lft forever preferred_lft forever
inet6 fe80::1ec1:deff:fee5:eddc/64 scope link
valid_lft forever preferred_lft forever

public (default, active)
interfaces: enp3s0f0
sources:
services: dhcpv6-client ssh vnc-server
ports: 3389/tcp 5905/tcp 25565/tcp
masquerade: yes
forward-ports: port=25565roto=tcp:toport=:toaddr=192.168.122.97
icmp-blocks:
rich rules:

Virt Interface
6: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether 52:54:00:40:86:36 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever

external (active)
interfaces: virb0
sources:
services: ssh
ports: 25565/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:

-----------VM


2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:1e:b4:84 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.97/24 brd 192.168.122.255 scope global dynamic eth0
valid_lft 2944sec preferred_lft 2944sec
inet6 fe80::5054:ff:fe1e:b484/64 scope link
valid_lft forever preferred_lft forever

internal (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports: 25565/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:


however Starting

Nmap 7.01 ( https://nmap.org ) at 2016-08-10 19:36 EDT
Nmap scan report for cid-3866 (207.188.214.x)
Host is up (0.013s latency).
PORT STATE SERVICE
25565/tcp closed minecraft


( its a server for some kids to be able to play safely and learn about the interwebs. In case anyone was curiouse)
 
Old 08-11-2016, 02:15 PM   #2
roger_heslop
Member
 
Registered: Oct 2009
Location: Leander, TX
Distribution: Fedora 20
Posts: 97

Rep: Reputation: 35
From https://docs.fedoraproject.org/en-US...rding-CLI.html ...

To forward packets to another IPv4 address, usually an internal address, without changing the destination port, enter the following command as root:

Quote:
~]# firewall-cmd --zone=external --add-forward-port=port=22roto=tcp:toaddr=192.0.2.55
Yours reads
Quote:
"forward-ports: port=25565roto=tcp:toport=:toaddr=192.168.122.97"
Maybe removing the blank "toport=" in that line would help.
 
Old 08-11-2016, 10:14 PM   #3
TheDerf
LQ Newbie
 
Registered: Feb 2009
Posts: 21

Original Poster
Rep: Reputation: 0
ok not sure how that dag gum face got in there, but I removed the empty "toport=". and still no dice. This is curently set up a la defualts of KVM networking should I be messing around creating bridges rather then assuming that the interface virbr0 was going to act like a bridge? -thanks again ya'll
 
Old 08-12-2016, 03:17 PM   #4
roger_heslop
Member
 
Registered: Oct 2009
Location: Leander, TX
Distribution: Fedora 20
Posts: 97

Rep: Reputation: 35
If creating a bridge is an option in your environment - it's probably the best way to go. In the meantime I'll do some testing on my side in a bit and post back.
 
Old 08-13-2016, 02:16 PM   #5
TheDerf
LQ Newbie
 
Registered: Feb 2009
Posts: 21

Original Poster
Rep: Reputation: 0
Thanks, roger. I'm still messing around with the current setup, not looking forward to scratching it and starting over but c'est la vie i guess =).
 
Old 08-16-2016, 02:24 PM   #6
roger_heslop
Member
 
Registered: Oct 2009
Location: Leander, TX
Distribution: Fedora 20
Posts: 97

Rep: Reputation: 35
Haven't had any luck on my side. I'm certain it wouldn't work with NAT, as ports numbers are used for mapping internal to external traffic, (chosen at random) - I would expect the result to be that firewalld would be expecting a different port number than the minecraft default.

I can get communications going without Firewalld running from a private virtual network by enabling routing on my host, and applying a return route on the client system. However as soon as the firewall is on, pings fail with destination port unreachable. [EDIT: iptables should work fine with routing] (These are ICMP packets, so I shouldn't need to open additional TCP or UDP ports). <-- So far this looks like the most promising route without bridging

I hadn't gotten port forwarding working (testing got a bit dicey do to unrelated Firewalld issues on my laptop).
My experience with port or ip forwarding has been limited to a local network, as opposed to forwarding an address to another L3 network. I was going to test how this behaved, but I might need to set up VMs with Fedora 24 (so that if any proper bugs are encountered I can submit them). If no one else is sure how this works I'll probably follow up and post back, out of curiosity if nothing else - but could take a few days.

Last edited by roger_heslop; 08-16-2016 at 02:30 PM.
 
Old 08-16-2016, 04:18 PM   #7
roger_heslop
Member
 
Registered: Oct 2009
Location: Leander, TX
Distribution: Fedora 20
Posts: 97

Rep: Reputation: 35
I got port forwarding to work, as a test case.

Using 3 VMs - and one as the router between two separate private networks.

VM1 192.168.100.100 gateway/router 192.168.100.1
VM2 192.168.200.100 gateway/router 192.168.200.1

On the router (fedora 24)
Quote:
[root@localhost ~]# firewall-cmd --list-all --zone FedoraServer
FedoraServer (active)
target: default
icmp-block-inversion: no
interfaces: ens3 ens9
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
(ens9 is the public interface so I could run updates - ens3 is the 100.1 interface)

Quote:
[root@localhost ~]# firewall-cmd --list-all --zone external
external (active)
target: default
icmp-block-inversion: no
interfaces: ens4
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports: port=22roto=tcp:toport=:toaddr=192.168.100.100
sourceports:
icmp-blocks:
rich rules:
The above was added with firewall-cmd --zone=external --add-forward-port=port=22roto=tcp:toaddr=192.168.100.100

Note: I also enabled routing.

Now my client (192.168.200.100) can SSH into the router, and land on my 192.168.100.100 box. I hope this gives you some direction, let me know if any questions.
 
1 members found this post helpful.
Old 08-16-2016, 06:45 PM   #8
tshikose
Member
 
Registered: Apr 2010
Location: Kinshasa, Democratic Republic of Congo
Distribution: RHEL, Fedora, CentOS
Posts: 525

Rep: Reputation: 95
Please have a look at this thread
 
1 members found this post helpful.
Old 09-03-2016, 06:08 PM   #9
TheDerf
LQ Newbie
 
Registered: Feb 2009
Posts: 21

Original Poster
Rep: Reputation: 0
Thanks for all the tinkering on your end Mr. Helsop! I have been to busy to get my butt to work on this, but both y'all posts are supper on point!.....now if i can just figure out why a the zone is refusing to let go of an interface that doesn't exist....

+-------
[chris@slugfish ~]$ firewall-cmd --get-active-zones
external
interfaces: virb0
public
interfaces: enp3s0f0

[chris@slugfish ~]$ firewall-cmd --get-zone-of-interface=virbr0
no zone
______________________________________________________________,
+=--------well if its not there, then why's it there you stoopid penguin! =)
 
  


Reply

Tags
firewalld, kvm, minecraft, networking


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Blocking IP with Firewalld lapthorn Linux - Security 11 08-13-2016 09:34 AM
firewalld confusion packetsmacker Linux - Security 1 01-28-2016 01:11 PM
RHEL7 firewalld. dpu Red Hat 5 06-23-2014 09:12 AM
firewalld sunveer Fedora 1 02-03-2013 03:41 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:02 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration