1445918 – firewalld does not allow port forwarding on localhost

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1445918 - firewalld does not allow port forwarding on localhost

Summary: firewalld does not allow port forwarding on localhost

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	firewalld
Sub Component:
Version:	7.2
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Eric Garver
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-04-26 18:52 UTC by David Biesack
Modified:	2023-01-23 17:48 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-01-23 18:35:07 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
CentOS	13181	0	None	None	None	2017-04-26 18:52:12 UTC

Description David Biesack 2017-04-26 18:52:13 UTC

Description of problem:

On a new CentOS 7 full ISO install, I found that firewalld a) does not include lo interface and b) does not allow port forwarding on lo (localhost) such as port 80 -> port 8180

Version-Release number of selected component (if applicable):

CentOS Linux release 7.3.1611
I originally reported this against CentOS 7 but was told to report this upstream on bugzilla.redhat.com (I have not reproduced this on RHEL as I don't have a RHEL system to play with)

How reproducible:


Steps to Reproduce:
$ sudo firewall-cmd --get-active-zones
public
  interfaces: em1
$ sudo firewall-cmd --info-zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: em1
  sources: 
  services: dhcpv6-client ssh
  ports: 8180/tcp 5900/tcp
  protocols: 
  masquerade: no
  forward-ports: port=80:proto=tcp:toport=8180:toaddr=
  sourceports: 
  icmp-blocks: 
  rich rules: 

$ sudo firewall-cmd --zone=trusted --add-interface=lo
$ sudo firewall-cmd --zone=trusted --add-port=80/tcp
$ sudo firewall-cmd --zone=trusted --add-port=8180/tcp
$ sudo firewall-cmd --zone=trusted --add-forward-port=port=80:proto=tcp:toport=8180
success
$ sudo firewall-cmd --reload
success
$ sudo firewall-cmd --get-active-zones
public
  interfaces: em1
trusted
  interfaces: lo
$ sudo firewall-cmd --info-zone=trusted
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: lo
  sources: 
  services: 
  ports: 80/tcp 8180/tcp
  protocols: 
  masquerade: no
  forward-ports: port=80:proto=tcp:toport=8180:toaddr=
  sourceports: 
  icmp-blocks: 
  rich rules: 


Actual results:

From another host accessing http://myhost.mydomain:8180/ works, as does port forwarding via http://myhost.mydomain:8180/ .

From my CentOS desktop, http://localhost:8180/ and http://myhost.mydomain:8180/ both work, but http://myhost.mydomain/ http://localhost/ do not.

Expected results:

From my CentOS desktop, http://myhost.mydomain/ and http://localhost/ should work 


Additional info:

Comment 2 Przemyslaw Sztoch 2017-10-02 12:08:59 UTC

I have similar problem.

We are using:
-A PREROUTING -d 192.168.18.16/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.18.16:8080
-A PREROUTING -d 192.168.18.16/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.18.16:8443
-A OUTPUT -d 192.168.18.16/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.18.16:8080
-A OUTPUT -d 192.168.18.16/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.18.16:8443
in RHEL 6

But in RHEL 7:
  <forward-port to-port="8080" protocol="tcp" port="80"/>
  <forward-port to-port="8443" protocol="tcp" port="443"/>
generate rules only in PREROUTING chains.

OUTPUT chains are ignored.

Comment 3 R P Herrold 2017-10-02 15:32:06 UTC

psztoch in Comment #2

it loos as though you are trying a transparent squid redirect

This post on the mailing list may help

https://lists.fedoraproject.org/archives/list/firewalld-users@lists.fedorahosted.org/message/EBNJQXTFQDCGQAW3SJWTRSTXNO42CJOV/

I am still tinkering with it

I also have a desire to intercept all outbound port 25 TCP, as the prior email in that thread indicates

Comment 5 Eric Garver 2017-11-17 13:51:19 UTC

(In reply to Przemyslaw Sztoch from comment #2)
[...]
> But in RHEL 7:
>   <forward-port to-port="8080" protocol="tcp" port="80"/>
>   <forward-port to-port="8443" protocol="tcp" port="443"/>
> generate rules only in PREROUTING chains.
> 
> OUTPUT chains are ignored.

OUTPUT support is a work-in-progress, see Bug 1492722. However, currently you can use a --direct rule to add rules to the OUTPUT chain. See the firewall-cmd man page.

Comment 6 Eric Garver 2017-11-17 15:09:26 UTC

firewalld implements forward-ports using the iptables nat PREROUTING chain. This chain is not used for packets sent over the loopback interface as packets over the loopback should not be routed. The nat PREROUTING is used to allow conntrack.

e.g.

# iptables -v -t nat -L
...
Chain PRE_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination
    8   480 DNAT       tcp  --  any    any     anywhere             anywhere             mark match 0x64 to::8080
...

__Solution__

However, you can get the desired affect with a --direct rule.

  # firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 0 -p tcp -o lo --dport 80 -j REDIRECT --to-ports 8080

---->8----

# echo -e "GET index.html HTTP/1.1" | nc localhost 80
HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/2.7.5
Date: Fri, 17 Nov 2017 15:07:39 GMT
Content-type: text/html
Content-Length: 16
Last-Modified: Fri, 17 Nov 2017 15:05:21 GMT

This is a test.

Comment 14 Eric Garver 2018-01-23 18:35:07 UTC

Closing as WONTFIX. See comment 6 for a simple solution. I don't think adding special rules and adding code complexity to handle the loopback interface is worth it when there is an easy alterative.

Note You need to log in before you can comment on or make changes to this bug.