2

my linux environment is fedora 27, httpd is running, and firewall-cmd --list-all shows

FedoraWorkstation (active)
  target: default
  icmp-block-inversion: no
  interfaces: wlp3s0
  sources: 
  services: dhcpv6-client ssh samba-client mdns
  ports: 1025-65535/udp 1025-65535/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Although the http service or port 80 is not allowed, nmap shows that

Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-25 18:55 PST
Nmap scan report for 10.0.0.15
Host is up (0.000052s latency).

PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds

and actually I can connect to the server using browser

"systemctl status httpd" shows no errors but "systemctl status firewalld" shows following errors

Nov 25 18:34:44 localhost.localdomain firewalld[3310]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete FORWARD --out-interface virbr0 --jump REJECT' failed:
Nov 25 18:34:44 localhost.localdomain firewalld[3310]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete FORWARD --in-interface virbr0 --jump REJECT' failed:
Nov 25 18:34:44 localhost.localdomain firewalld[3310]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete INPUT --in-interface virbr0 --protocol udp --destination-port 53 --jump ACCEPT' 
Nov 25 18:34:44 localhost.localdomain firewalld[3310]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete INPUT --in-interface virbr0 --protocol tcp --destination-port 53 --jump ACCEPT' 
Nov 25 18:34:44 localhost.localdomain firewalld[3310]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete OUTPUT --out-interface virbr0 --protocol udp --destination-port 68 --jump ACCEPT
Nov 25 18:34:44 localhost.localdomain firewalld[3310]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete INPUT --in-interface virbr0 --protocol udp --destination-port 67 --jump ACCEPT' 
Nov 25 18:34:44 localhost.localdomain firewalld[3310]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete INPUT --in-interface virbr0 --protocol tcp --destination-port 67 --jump ACCEPT' 
Nov 25 18:43:17 localhost.localdomain systemd[1]: Reloading firewalld - dynamic firewall daemon.
Nov 25 18:43:17 localhost.localdomain systemd[1]: Reloaded firewalld - dynamic firewall daemon.
Nov 25 18:43:17 localhost.localdomain firewalld[3310]: WARNING: FedoraServer: INVALID_SERVICE: cockpit

if I make same situation in my virtual machine which runs centos7, firewalld works as I want. while running httpd in vm, if I add http service in the firewall rule, then I can connect otherwise I cannot. but in fedora, I don't know what is wrong.

what I was trying to do was port forwarding from host port 80/tcp to my vm port 80/tcp. I realized that port forwading was not working and neither add-service, or add-port in firewall-cmd. How can I fix the problem?

Although iptables is disabled, I post output of iptables -L here. 192.168.122.0/24 is network for my vm

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
INPUT_direct  all  --  anywhere             anywhere            
INPUT_ZONES_SOURCE  all  --  anywhere             anywhere            
INPUT_ZONES  all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
FORWARD_direct  all  --  anywhere             anywhere            
FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere            
FORWARD_IN_ZONES  all  --  anywhere             anywhere            
FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere            
FORWARD_OUT_ZONES  all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc
OUTPUT_direct  all  --  anywhere             anywhere            

Chain FORWARD_IN_ZONES (1 references)
target     prot opt source               destination         
FWDI_FedoraWorkstation  all  --  anywhere             anywhere            [goto] 
FWDI_FedoraWorkstation  all  --  anywhere             anywhere            [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_OUT_ZONES (1 references)
target     prot opt source               destination         
FWDO_FedoraWorkstation  all  --  anywhere             anywhere            [goto] 
FWDO_FedoraWorkstation  all  --  anywhere             anywhere            [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_direct (1 references)
target     prot opt source               destination         

Chain FWDI_FedoraWorkstation (2 references)
target     prot opt source               destination         
FWDI_FedoraWorkstation_log  all  --  anywhere             anywhere            
FWDI_FedoraWorkstation_deny  all  --  anywhere             anywhere            
FWDI_FedoraWorkstation_allow  all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            

Chain FWDI_FedoraWorkstation_allow (1 references)
target     prot opt source               destination         

Chain FWDI_FedoraWorkstation_deny (1 references)
target     prot opt source               destination         

Chain FWDI_FedoraWorkstation_log (1 references)
target     prot opt source               destination         

Chain FWDO_FedoraWorkstation (2 references)
target     prot opt source               destination         
FWDO_FedoraWorkstation_log  all  --  anywhere             anywhere            
FWDO_FedoraWorkstation_deny  all  --  anywhere             anywhere            
FWDO_FedoraWorkstation_allow  all  --  anywhere             anywhere            

Chain FWDO_FedoraWorkstation_allow (1 references)
target     prot opt source               destination         

Chain FWDO_FedoraWorkstation_deny (1 references)
target     prot opt source               destination         

Chain FWDO_FedoraWorkstation_log (1 references)
target     prot opt source               destination         

Chain INPUT_ZONES (1 references)
target     prot opt source               destination         
IN_FedoraWorkstation  all  --  anywhere             anywhere            [goto] 
IN_FedoraWorkstation  all  --  anywhere             anywhere            [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain INPUT_direct (1 references)
target     prot opt source               destination         

Chain IN_FedoraWorkstation (2 references)
target     prot opt source               destination         
IN_FedoraWorkstation_log  all  --  anywhere             anywhere            
IN_FedoraWorkstation_deny  all  --  anywhere             anywhere            
IN_FedoraWorkstation_allow  all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            

Chain IN_FedoraWorkstation_allow (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:netbios-ns ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:netbios-dgm ctstate NEW
ACCEPT     udp  --  anywhere             224.0.0.251          udp dpt:mdns ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpts:blackjack:65535 ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:blackjack:65535 ctstate NEW

Chain IN_FedoraWorkstation_deny (1 references)
target     prot opt source               destination         

Chain IN_FedoraWorkstation_log (1 references)
target     prot opt source               destination         

Chain OUTPUT_direct (1 references)
target     prot opt source               destination

output of "lsof -i -P -n|grep LISTEN" is

dnsmasq    1037 nobody    6u  IPv4   27561      0t0  TCP 192.168.122.1:53 (LISTEN)
cupsd      1788   root    9u  IPv6   37232      0t0  TCP [::1]:631 (LISTEN)
cupsd      1788   root   10u  IPv4   37233      0t0  TCP 127.0.0.1:631 (LISTEN)
httpd      2355   root    4u  IPv6   43072      0t0  TCP *:80 (LISTEN)
httpd      2358 apache    4u  IPv6   43072      0t0  TCP *:80 (LISTEN)
httpd      2359 apache    4u  IPv6   43072      0t0  TCP *:80 (LISTEN)
httpd      2360 apache    4u  IPv6   43072      0t0  TCP *:80 (LISTEN)
sshd       3070   root    5u  IPv4   50178      0t0  TCP *:22 (LISTEN)
sshd       3070   root    7u  IPv6   50180      0t0  TCP *:22 (LISTEN)
jupyter-n  3512   rhce    4u  IPv6   64019      0t0  TCP [::1]:8888 (LISTEN)
jupyter-n  3512   rhce    5u  IPv4   64020      0t0  TCP 127.0.0.1:8888 (LISTEN)
python3    3545   rhce   14u  IPv4   66283      0t0  TCP 127.0.0.1:40521 (LISTEN)
python3    3545   rhce   17u  IPv4   66287      0t0  TCP 127.0.0.1:49589 (LISTEN)
python3    3545   rhce   20u  IPv4   66291      0t0  TCP 127.0.0.1:48583 (LISTEN)
python3    3545   rhce   23u  IPv4   66295      0t0  TCP 127.0.0.1:39659 (LISTEN)
python3    3545   rhce   28u  IPv4   66300      0t0  TCP 127.0.0.1:35933 (LISTEN)
python3    3545   rhce   41u  IPv4   68637      0t0  TCP 127.0.0.1:44955 (LISTEN)

and output of ss -tlpn is 

State       Recv-Q Send-Q                                                            Local Address:Port                                                                           Peer Address:Port              
LISTEN      0      100                                                                   127.0.0.1:49589                                                                                     *:*                   users:(("python3",pid=3545,fd=17))
LISTEN      0      32                                                                192.168.122.1:53                                                                                        *:*                   users:(("dnsmasq",pid=1037,fd=6))
LISTEN      0      128                                                                           *:22                                                                                        *:*                   users:(("sshd",pid=3070,fd=5))
LISTEN      0      5                                                                     127.0.0.1:631                                                                                       *:*                   users:(("cupsd",pid=1788,fd=10))
LISTEN      0      128                                                                   127.0.0.1:8888                                                                                      *:*                   users:(("jupyter-noteboo",pid=3512,fd=5))
LISTEN      0      100                                                                   127.0.0.1:44955                                                                                     *:*                   users:(("python3",pid=3545,fd=41))
LISTEN      0      100                                                                   127.0.0.1:35933                                                                                     *:*                   users:(("python3",pid=3545,fd=28))
LISTEN      0      100                                                                   127.0.0.1:48583                                                                                     *:*                   users:(("python3",pid=3545,fd=20))
LISTEN      0      100                                                                   127.0.0.1:40521                                                                                     *:*                   users:(("python3",pid=3545,fd=14))
LISTEN      0      100                                                                   127.0.0.1:39659                                                                                     *:*                   users:(("python3",pid=3545,fd=23))
LISTEN      0      128                                                                           *:80                                                                                        *:*                   users:(("httpd",pid=2360,fd=4),("httpd",pid=2359,fd=4),("httpd",pid=2358,fd=4),("httpd",pid=2355,fd=4))
LISTEN      0      128                                                                           *:22                                                                                        *:*                   users:(("sshd",pid=3070,fd=7))
LISTEN      0      5                                                                         [::1]:631                                                                                       *:*                   users:(("cupsd",pid=1788,fd=9))
LISTEN      0      128                                                                       [::1]:8888                                                                                      *:*                   users:(("jupyter-noteboo",pid=3512,fd=4))
Yeongbae
  • 21
  • 3
  • 1
    show a `iptables -L` – Mike Nov 26 '17 at 06:20
  • All your COMMAND_FAILED lines must first be resolved. What result do you have if you run them one by one on the command line? – Patrick Mevzek Nov 27 '17 at 15:46
  • executing the failed commands one by one does not give error. In my understanding, firewalld is different service from iptables. but why did firewalld execute the failed commands? does firewalld depend on iptables even though iptables service is disabled? – Yeongbae Nov 28 '17 at 11:56
  • All traffic is always allowed on the local host. – Michael Hampton Dec 07 '17 at 05:47
  • In what you describe as the output of iptables -L, I do not see a listing of ports and their status. Have you tried any of these commands to view more on the status of TCP port 80: lsof: `$ sudo lsof -i -P -n | grep LISTEN` netstat: `$ netstat -tulpn | grep LISTEN` (for linux) Your firewall shows port 80 is closed? And you do not have any http services somewhere calling the default port? – Mika Wolf Nov 26 '17 at 15:10
  • I started httpd(apache), and I intentionally closed port 80 using firewall-cmd in order to test. but unfortunately, firewalld does not work as I want. and output of ss and lsof is on post – Yeongbae Nov 27 '17 at 00:19
  • With `netstat -tulpn | grep :80` you could see which process is accepting traffic on port 80 – Ace Jul 08 '22 at 12:26

1 Answers1

0

Interestingly firewalld did not allow port forwarding to virtual machine, even though the firwalld command was right. I found that iptables rule blocks the port forwarding before firewalld. so I added directly port forwarding rule to the first row of iptables rules.

Yeongbae
  • 21
  • 3