Bug 995480

Summary: Can't port-forward to virtual machine with firewall-config.
Product: [Fedora] Fedora Reporter: Peter Oliver <mavit>
Component: firewalldAssignee: Thomas Woerner <twoerner>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: jpopelka, twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-04-10 14:02:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Peter Oliver 2013-08-09 13:47:44 UTC 
The command "iptables -S -t filter | grep -- '^-A FORWARD '" produces the following output:

-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

It's my understanding that the rules mentioning virbr0 are added automatically by libvirtd in response to me having a virtual machine with the default NAT networking.  Good so far.

Alas, the virbr0-related REJECT rules appear quite early in this table, making it impossible to influence packets with rules added to the FORWARD_* subtables by the firewall-config tool.

Please consider arranging for firewalld's rules to be processed before libvirtd's REJECT rules.
Comment 1 Peter Oliver 2013-08-09 13:48:26 UTC 
For the benefit of anyone having the same problem, I'll mention that as a workaround I have added the following to my /etc/rc.d/local:

( sleep 60; iptables -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable; iptables -D FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable ) &
Comment 2 Jiri Popelka 2014-04-10 14:02:57 UTC 
Thank you very much Peter for the investigation and work-around !

*** This bug has been marked as a duplicate of bug 1079088 ***