[CentOS] strange behavior of firewalld and port-forwarding
Django
DjangoWed Feb 3 13:31:44 UTC 2016
- Previous message: [CentOS] [solved] CentOS 7 - DNAT with firewalld
- Next message: [CentOS] hot do use iscsi loopback
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
HI,
me and firewalld won't have a good start, but I hope we'll be good friends.
One of my hosts must rerote traffic from one to another host. It isn't a
big problem.
I've a host witch must do:
1) forwarding port 25 tcp to a second host
Here I've a special mail-relay. My external.xml look like this one:
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>External</short>
<description>For use on external networks. You do not trust the other
computers on networks to not harm your computer. Only selected incoming
connections are accepted.</description>
<interface name="eth1"/>
<service name="ssh"/>
<masquerade/>
<forward-port to-addr="10.0.0.87" protocol="tcp" port="25"/>
</zone>
Every thing works expected, incomming traffic on port 25 is forwarded to
10.0.0.87 port 25.
2) traffic from 80.80.80.80 and destination-port 25 should be forwarded
to port 22 tcp on 10.0.0.17 and not to 10.0.0.87 on port 25
So I made a new rule with:
firewall-cmd --zone=external --add-rich-rule='rule forward-port
port="25" to-port="22" to-addr="10.0.0.17" protocol="tcp" family="ipv4"
source address="80.80.80.80"'
If I try to connect on host 80.80.80.80 my system with:
"telnet 10.0.0.17 25"
I can connect the final host 10.0.0.17 on port 22 and open-ssh will
greet me "SSH-2.0-oPENssh_6.6.1". It is working like I've expected.
If I made my new firewall-rule permanent I use:
"firewall-cmd --runtime-to-permanent"
an the zone-file has now this content:
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>External</short>
<description>For use on external networks. You do not trust the other
computers on networks to not harm your computer. Only selected incoming
connections are accepted.</description>
<interface name="eth1"/>
<service name="ssh"/>
<masquerade/>
<forward-port to-addr="10.0.0.87" protocol="tcp" port="25"/>
<rule family="ipv4">
<source address="80.80.80.80"/>
<forward-port to-addr="10.0.0.17" to-port="22" protocol="tcp"
port="25"/>
</rule>
</zone>
O.K. That isn't a miracle. BUT, every is working right till I restart
the server or reload the firewalld with:
"firewall-cmd --reload"
Now I can't access my host 10.0.0.17 via ssh over my transit-host! I'll
reach destination-host 10.0.0.87 on port 25. It looks like, my rich rule
were'nt definied. :/
Any idea, how to make it reboot-save?
Thanx for help
ttyl,
Django
--
"Bonnie & Clyde der Postmaster-Szene!" approved by Postfix-God
http://wetterstation-pliening.info
http://dokuwiki.nausch.org
http://wiki.piratenpartei.de/Benutzer:Django
- Previous message: [CentOS] [solved] CentOS 7 - DNAT with firewalld
- Next message: [CentOS] hot do use iscsi loopback
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS mailing list