0

I have a CentOS 7 KVM host with a single public IPv4, which is housing multiple guest OS's and acting as a firewall / gateway for guest network 192.168.1.0/24 / nat.

I want to run a webserver of 1 of the guests on port 80, so the following firewalld rule is needed:

rule family="ipv4" forward-port port="80" protocol="tcp" to-port="80" to-addr="192.168.1.3"

Once that is done though, all guests except 192.168.1.3 loose connectivity to worlds port 80 (i.e. when doing yum makecache), except KVM host, which is unaffected.

The question is - does having this rule override the default connection tracking policies of firewalld and if so, why isn't the host affected?

Additional info: guests are using KVM routed mode networking; relevant host firewalld config:

external (active)
target: default
icmp-block-inversion: no
interfaces: enp2s0
sources: 
services: ssh
ports: 
protocols: 
masquerade: yes
forward-ports:
source-ports: 
icmp-blocks: 
rich rules: 
   rule family="ipv4" forward-port port="80" protocol="tcp" to-port="80" to-addr="192.168.1.3"

the following didn't exist before but virbr0 got picked up by NetworkManager, so I added blind trust until a better strategy is devised

trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: virbr0
sources: 192.168.1.0/24
services: 
ports: 
protocols: 
masquerade: no
forward-ports: 
source-ports: 
icmp-blocks: 
rich rules:
J D
  • 163
  • 1
  • 10

1 Answers1

0

Your rich rule is overly broad; it applies to all traffic for port 80, regardless of its source or destination.

To fix the problem, also specify the destination IP address in the rich rule. This is the global IPv4 address on which the traffic is received. For example:

rule family="ipv4" destination address="198.51.100.220" forward-port port="80" protocol="tcp" to-port="80" to-addr="192.168.1.3"
Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • The problem got solved when doing it this way, but whats the difference between the 2 rules if I have only 1 global IPv4 address to begin with? – J D Nov 22 '18 at 12:46
  • @JD If you don't match the destination address, then it applies to every connection to port 80 to every address. – Michael Hampton Nov 22 '18 at 12:47
  • but say in this instance, with only 1 global IP on the server, all packets coming from outside world still have the same destination IP address, i.e 198.51.100.220, so what did actually change? OSI level 3 flow for a sample non-working guest guest with source IP 192.168.1.2 requests a 1.2.3.4:80 resource -> once kvm host receives the packet heading through enp2s0, it NATs the source IP to 198.51.100.220. so to me it seems the rich rule change just made destination address explicit, whereas before it was the same, but implicitly (certainly not true since it wasn't working before!) – J D Nov 22 '18 at 13:06
  • You seem to be confusing _source_ address with _destination_ address. These are different. – Michael Hampton Nov 22 '18 at 13:07