Bug 995480 - Can't port-forward to virtual machine with firewall-config.
Can't port-forward to virtual machine with firewall-config.
Status: CLOSED DUPLICATE of bug 1079088
Product: Fedora
Classification: Fedora
Component: firewalld (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Thomas Woerner
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-09 09:47 EDT by Peter Oliver
Modified: 2014-04-10 10:02 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-04-10 10:02:57 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Peter Oliver 2013-08-09 09:47:44 EDT
The command "iptables -S -t filter | grep -- '^-A FORWARD '" produces the following output:

-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

It's my understanding that the rules mentioning virbr0 are added automatically by libvirtd in response to me having a virtual machine with the default NAT networking.  Good so far.

Alas, the virbr0-related REJECT rules appear quite early in this table, making it impossible to influence packets with rules added to the FORWARD_* subtables by the firewall-config tool.

Please consider arranging for firewalld's rules to be processed before libvirtd's REJECT rules.
Comment 1 Peter Oliver 2013-08-09 09:48:26 EDT
For the benefit of anyone having the same problem, I'll mention that as a workaround I have added the following to my /etc/rc.d/local:

( sleep 60; iptables -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable; iptables -D FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable ) &
Comment 2 Jiri Popelka 2014-04-10 10:02:57 EDT
Thank you very much Peter for the investigation and work-around !

*** This bug has been marked as a duplicate of bug 1079088 ***

Note You need to log in before you can comment on or make changes to this bug.