different firewalld rich rule behavior in kvm host compared to kvm guests

J D asked:

I have a CentOS 7 KVM host with a single public IPv4, which is housing multiple guest OS’s and acting as a firewall / gateway for guest network 192.168.1.0/24 / nat.

I want to run a webserver of 1 of the guests on port 80, so the following firewalld rule is needed:

rule family=”ipv4″ forward-port port=”80″ protocol=”tcp” to-port=”80″ to-addr=”192.168.1.3″

Once that is done though, all guests except 192.168.1.3 loose connectivity to worlds port 80 (i.e. when doing yum makecache), except KVM host, which is unaffected.

The question is – does having this rule override the default connection tracking policies of firewalld and if so, why isn’t the host affected?

Additional info:
guests are using KVM routed mode networking;
relevant host firewalld config:

external (active)
target: default
icmp-block-inversion: no
interfaces: enp2s0
sources: 
services: ssh
ports: 
protocols: 
masquerade: yes
forward-ports:
source-ports: 
icmp-blocks: 
rich rules: 
   rule family="ipv4" forward-port port="80" protocol="tcp" to-port="80" to-addr="192.168.1.3"

the following didn’t exist before but virbr0 got picked up by NetworkManager, so I added blind trust until a better strategy is devised

trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: virbr0
sources: 192.168.1.0/24
services: 
ports: 
protocols: 
masquerade: no
forward-ports: 
source-ports: 
icmp-blocks: 
rich rules: 

My answer:


Your rich rule is overly broad; it applies to all traffic for port 80, regardless of its source or destination.

To fix the problem, also specify the destination IP address in the rich rule. This is the global IPv4 address on which the traffic is received. For example:

rule family="ipv4" destination address="198.51.100.220" forward-port port="80" protocol="tcp" to-port="80" to-addr="192.168.1.3"

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.