Bug 1445918

Summary: firewalld does not allow port forwarding on localhost
Product: Red Hat Enterprise Linux 7 Reporter: David Biesack <david.biesack>
Component: firewalldAssignee: Eric Garver <egarver>
Status: CLOSED WONTFIX QA Contact: qe-baseos-daemons
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2CC: atragler, egarver, herrold, jscalf, mihai, psztoch, rkhan, sukulkar, todoleza
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-01-23 18:35:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Biesack 2017-04-26 18:52:13 UTC 
Description of problem:

On a new CentOS 7 full ISO install, I found that firewalld a) does not include lo interface and b) does not allow port forwarding on lo (localhost) such as port 80 -> port 8180

Version-Release number of selected component (if applicable):

CentOS Linux release 7.3.1611
I originally reported this against CentOS 7 but was told to report this upstream on bugzilla.redhat.com (I have not reproduced this on RHEL as I don't have a RHEL system to play with)

How reproducible:


Steps to Reproduce:
$ sudo firewall-cmd --get-active-zones
public
  interfaces: em1
$ sudo firewall-cmd --info-zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: em1
  sources: 
  services: dhcpv6-client ssh
  ports: 8180/tcp 5900/tcp
  protocols: 
  masquerade: no
  forward-ports: port=80:proto=tcp:toport=8180:toaddr=
  sourceports: 
  icmp-blocks: 
  rich rules: 

$ sudo firewall-cmd --zone=trusted --add-interface=lo
$ sudo firewall-cmd --zone=trusted --add-port=80/tcp
$ sudo firewall-cmd --zone=trusted --add-port=8180/tcp
$ sudo firewall-cmd --zone=trusted --add-forward-port=port=80:proto=tcp:toport=8180
success
$ sudo firewall-cmd --reload
success
$ sudo firewall-cmd --get-active-zones
public
  interfaces: em1
trusted
  interfaces: lo
$ sudo firewall-cmd --info-zone=trusted
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: lo
  sources: 
  services: 
  ports: 80/tcp 8180/tcp
  protocols: 
  masquerade: no
  forward-ports: port=80:proto=tcp:toport=8180:toaddr=
  sourceports: 
  icmp-blocks: 
  rich rules: 


Actual results:

From another host accessing http://myhost.mydomain:8180/ works, as does port forwarding via http://myhost.mydomain:8180/ .

From my CentOS desktop, http://localhost:8180/ and http://myhost.mydomain:8180/ both work, but http://myhost.mydomain/ http://localhost/ do not.

Expected results:

From my CentOS desktop, http://myhost.mydomain/ and http://localhost/ should work 


Additional info:
Comment 2 Przemyslaw Sztoch 2017-10-02 12:08:59 UTC 
I have similar problem.

We are using:
-A PREROUTING -d 192.168.18.16/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.18.16:8080
-A PREROUTING -d 192.168.18.16/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.18.16:8443
-A OUTPUT -d 192.168.18.16/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.18.16:8080
-A OUTPUT -d 192.168.18.16/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.18.16:8443
in RHEL 6

But in RHEL 7:
  <forward-port to-port="8080" protocol="tcp" port="80"/>
  <forward-port to-port="8443" protocol="tcp" port="443"/>
generate rules only in PREROUTING chains.

OUTPUT chains are ignored.
Comment 3 R P Herrold 2017-10-02 15:32:06 UTC 
psztoch in Comment #2

it loos as though you are trying a transparent squid redirect

This post on the mailing list may help

https://lists.fedoraproject.org/archives/list/firewalld-users@lists.fedorahosted.org/message/EBNJQXTFQDCGQAW3SJWTRSTXNO42CJOV/

I am still tinkering with it

I also have a desire to intercept all outbound port 25 TCP, as the prior email in that thread indicates
Comment 5 Eric Garver 2017-11-17 13:51:19 UTC 
(In reply to Przemyslaw Sztoch from comment #2)
[...]
> But in RHEL 7:
>   <forward-port to-port="8080" protocol="tcp" port="80"/>
>   <forward-port to-port="8443" protocol="tcp" port="443"/>
> generate rules only in PREROUTING chains.
> 
> OUTPUT chains are ignored.

OUTPUT support is a work-in-progress, see Bug 1492722. However, currently you can use a --direct rule to add rules to the OUTPUT chain. See the firewall-cmd man page.
Comment 6 Eric Garver 2017-11-17 15:09:26 UTC 
firewalld implements forward-ports using the iptables nat PREROUTING chain. This chain is not used for packets sent over the loopback interface as packets over the loopback should not be routed. The nat PREROUTING is used to allow conntrack.

e.g.

# iptables -v -t nat -L
...
Chain PRE_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination
    8   480 DNAT       tcp  --  any    any     anywhere             anywhere             mark match 0x64 to::8080
...

__Solution__

However, you can get the desired affect with a --direct rule.

  # firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 0 -p tcp -o lo --dport 80 -j REDIRECT --to-ports 8080

---->8----

# echo -e "GET index.html HTTP/1.1" | nc localhost 80
HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/2.7.5
Date: Fri, 17 Nov 2017 15:07:39 GMT
Content-type: text/html
Content-Length: 16
Last-Modified: Fri, 17 Nov 2017 15:05:21 GMT

This is a test.
Comment 14 Eric Garver 2018-01-23 18:35:07 UTC 
Closing as WONTFIX. See comment 6 for a simple solution. I don't think adding special rules and adding code complexity to handle the loopback interface is worth it when there is an easy alterative.