View Issue Details

IDProjectCategoryView StatusLast Update
0013181CentOS-7firewalldpublic2017-04-26 18:56
Reporterdavidbiesack 
PrioritynormalSeveritymajorReproducibilityhave not tried
Status newResolutionopen 
Product Version7.2.1511 
Target VersionFixed in Version 
Summary0013181: firewalld does not allow port forwarding on localhost
DescriptionOn a new CentOS 7 full ISO install, I found that firewalld a) does not include lo interface and b) does not allow port forwarding on lo (localhost) such as port 80 -> port 8180

Steps To Reproduce$ sudo firewall-cmd --get-active-zones
public
  interfaces: em1
$ sudo firewall-cmd --info-zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: em1
  sources:
  services: dhcpv6-client ssh
  ports: 8180/tcp 5900/tcp
  protocols:
  masquerade: no
  forward-ports: port=80:proto=tcp:toport=8180:toaddr=
  sourceports:
  icmp-blocks:
  rich rules:

$ sudo firewall-cmd --zone=trusted --add-interface=lo
$ sudo firewall-cmd --zone=trusted --add-port=80/tcp
$ sudo firewall-cmd --zone=trusted --add-port=8180/tcp
$ sudo firewall-cmd --zone=trusted --add-forward-port=port=80:proto=tcp:toport=8180
success
$ sudo firewall-cmd --reload
success
$ sudo firewall-cmd --get-active-zones
public
  interfaces: em1
trusted
  interfaces: lo
$ sudo firewall-cmd --info-zone=trusted
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: lo
  sources:
  services:
  ports: 80/tcp 8180/tcp
  protocols:
  masquerade: no
  forward-ports: port=80:proto=tcp:toport=8180:toaddr=
  sourceports:
  icmp-blocks:
  rich rules:

From another host accessing http://myhost.mydomain:8180/ works, as does port forwarding via http://myhost.mydomain:8180/ .

From my CentOS desktop, http://localhost:8180/ works, but http://myhost.mydomain/ does not.
Additional InformationI was only able to get localhost port forwarding working by disabling firewalld and enable iptables


    sudo yum install iptables-services
    sudo systemctl mask firewalld.service
    sudo systemctl enable iptables.service
    
    # Optional:
    # systemctl enable ip6tables.service
    # Optional: youmay have 80 -> 8080 redirects. if so, -D (delete) them first:
    sudo /sbin/iptables -t nat -D OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 8080
    sudo /sbin/iptables -t nat -D PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
    
    sudo /sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8180
    sudo /sbin/iptables -t nat -I OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 8180
    sudo service iptables save
TagsNo tags attached.
abrt_hash
URL

Activities

davidbiesack

davidbiesack

2017-04-26 18:56

reporter   ~0029160

as per a request on www.CentOS.org/forums, I've reported this upstream on redhat at https://bugzilla.redhat.com/show_bug.cgi?id=1445918 (Feel free to close this if that is expected protocol for this situation)

Issue History

Date Modified Username Field Change
2017-04-26 18:07 davidbiesack New Issue
2017-04-26 18:56 davidbiesack Note Added: 0029160