[CentOS] strange behavior of firewalld and port-forwarding

Django

Django
Wed Feb 3 13:31:44 UTC 2016


HI,

me and firewalld won't have a good start, but I hope we'll be good friends.

One of my hosts must rerote traffic from one to another host. It isn't a
big problem.

I've a host witch must do:

1) forwarding port 25 tcp to a second host
Here I've a special mail-relay. My external.xml look like this one:
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>External</short>
  <description>For use on external networks. You do not trust the other
computers on networks to not harm your computer. Only selected incoming
connections are accepted.</description>
  <interface name="eth1"/>
  <service name="ssh"/>
  <masquerade/>
  <forward-port to-addr="10.0.0.87" protocol="tcp" port="25"/>
</zone>

Every thing works expected, incomming traffic on port 25 is forwarded to
10.0.0.87 port 25.


2) traffic from 80.80.80.80 and destination-port 25 should be forwarded
to port 22 tcp on 10.0.0.17 and not to 10.0.0.87 on port 25

So I made a new rule with:
firewall-cmd --zone=external --add-rich-rule='rule forward-port
port="25" to-port="22" to-addr="10.0.0.17" protocol="tcp" family="ipv4"
source address="80.80.80.80"'

If I try to connect on host 80.80.80.80 my system with:
"telnet 10.0.0.17 25"
I can connect the final host 10.0.0.17 on port 22 and open-ssh will
greet me "SSH-2.0-oPENssh_6.6.1". It is working like I've expected.

If I made my new firewall-rule permanent I use:
"firewall-cmd --runtime-to-permanent"
an the zone-file has now this content:
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>External</short>
  <description>For use on external networks. You do not trust the other
computers on networks to not harm your computer. Only selected incoming
connections are accepted.</description>
  <interface name="eth1"/>
  <service name="ssh"/>
  <masquerade/>
  <forward-port to-addr="10.0.0.87" protocol="tcp" port="25"/>
  <rule family="ipv4">
    <source address="80.80.80.80"/>
    <forward-port to-addr="10.0.0.17" to-port="22" protocol="tcp"
port="25"/>
  </rule>
</zone>

O.K. That isn't a miracle. BUT, every is working right till I restart
the server or reload the firewalld with:
"firewall-cmd --reload"

Now I can't access my host 10.0.0.17 via ssh over my transit-host! I'll
reach destination-host 10.0.0.87 on port 25. It looks like, my rich rule
were'nt definied. :/

Any idea, how to make it reboot-save?

Thanx for help

ttyl,
Django
-- 
"Bonnie & Clyde der Postmaster-Szene!" approved by Postfix-God
http://wetterstation-pliening.info
http://dokuwiki.nausch.org
http://wiki.piratenpartei.de/Benutzer:Django



More information about the CentOS mailing list