J D asked:
I have a CentOS 7 KVM host with a single public IPv4, which is housing multiple guest OS’s and acting as a firewall / gateway for guest network 192.168.1.0/24 / nat.
I want to run a webserver of 1 of the guests on port 80, so the following firewalld rule is needed:
rule family=”ipv4″ forward-port port=”80″ protocol=”tcp” to-port=”80″ to-addr=”192.168.1.3″
Once that is done though, all guests except 192.168.1.3 loose connectivity to worlds port 80 (i.e. when doing yum makecache), except KVM host, which is unaffected.
The question is – does having this rule override the default connection tracking policies of firewalld and if so, why isn’t the host affected?
guests are using KVM routed mode networking;
relevant host firewalld config:
external (active) target: default icmp-block-inversion: no interfaces: enp2s0 sources: services: ssh ports: protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" forward-port port="80" protocol="tcp" to-port="80" to-addr="192.168.1.3"
the following didn’t exist before but virbr0 got picked up by NetworkManager, so I added blind trust until a better strategy is devised
trusted (active) target: ACCEPT icmp-block-inversion: no interfaces: virbr0 sources: 192.168.1.0/24 services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
Your rich rule is overly broad; it applies to all traffic for port 80, regardless of its source or destination.
To fix the problem, also specify the destination IP address in the rich rule. This is the global IPv4 address on which the traffic is received. For example:
rule family="ipv4" destination address="198.51.100.220" forward-port port="80" protocol="tcp" to-port="80" to-addr="192.168.1.3"
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.