Red Hat Bugzilla – Bug 1267615
firewall-config and firewall-cmd fail to create a rule for local port forwards
Last modified: 2016-07-19 14:04:08 EDT
Description of problem:
Version-Release number of selected component (if applicable):
Steps to Reproduce:
The system is Fedora 22 Workstation. The default zone (and the zone for the current network connection) is FedoraWorkstation.
In the zone FedoraWorkstation, create a runtime rule to forward connections to port 8080 to port 80.
$lynx localhost:80 (will display the default page of httpd)
$lynx localhost:8080 (Alert!: Unable to connect to remote host.)
View the output of iptables-save. There will be no forwarding rule.
The results are identical if the rule is created permanent and firewalld is reloaded.
The "configuration entry" as viewed in the firewall-config GUI seems to be created equally well by either firewall-config or the firewall-cmd CLI tool, however the only rule that seems to be generated is:
-A PRE_FedoraWorkstation_allow -p tcp -m tcp --dport 8080 -j MARK --set-xmark 0x64/0xffffffff
This apears to be a PREROUTING rule for the current zone which will allow these packets to be processed, however there is no rule that specifes the target port.
For reference, nf_nat is loaded
and setenforce Permissive
Manually adding this rule (which as far as I can tell should work), does not allow access to httpd by port 8080:
iptables -t nat -A PRE_FedoraWorkstation_allow -p tcp --dport 8080 -j REDIRECT --to-port 80
After testing a new installation I discovered this issue only exists to the extent that a local redirected port connection can not be established from a host to itself. (Though I didn't try binding to loopback and connecting to eth0 for instance.)
From other hosts, including a guest on a bridged interface, the local port redirection works as expected.
This caveat/limitation might deserve mention in documentation.
It should also be possible to circumvent this limitation in the future, but this will need more verification.
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.
If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
Thank you for reporting this bug and we are sorry it could not be fixed.