Strange Behavior Of Firewalld And Port-forwarding

Home » CentOS » Strange Behavior Of Firewalld And Port-forwarding
CentOS No Comments

HI,

me and firewalld won’t have a good start, but I hope we’ll be good friends.

One of my hosts must rerote traffic from one to another host. It isn’t a big problem.

I’ve a host witch must do:

1) forwarding port 25 tcp to a second host Here I’ve a special mail-relay. My external.xml look like this one:


External
For use on external networks. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.




Every thing works expected, incomming traffic on port 25 is forwarded to
10.0.0.87 port 25.

2) traffic from 80.80.80.80 and destination-port 25 should be forwarded to port 22 tcp on 10.0.0.17 and not to 10.0.0.87 on port 25

So I made a new rule with:
firewall-cmd –zone=external –add-rich-rule=’rule forward-port port=”25″ to-port=”22″ to-addr=”10.0.0.17″ protocol=”tcp” family=”ipv4″
source address=”80.80.80.80″‘

If I try to connect on host 80.80.80.80 my system with:
“telnet 10.0.0.17 25”
I can connect the final host 10.0.0.17 on port 22 and open-ssh will greet me “SSH-2.0-oPENssh_6.6.1”. It is working like I’ve expected.

If I made my new firewall-rule permanent I use:
“firewall-cmd –runtime-to-permanent”
an the zone-file has now this content:


External
For use on external networks. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.






O.K. That isn’t a miracle. BUT, every is working right till I restart the server or reload the firewalld with:
“firewall-cmd –reload”

Now I can’t access my host 10.0.0.17 via SSH over my transit-host! I’ll reach destination-host 10.0.0.87 on port 25. It looks like, my rich rule were’nt definied. :/

Any idea, how to make it reboot-save?

Thanx for help

ttyl, Django

LEAVE A COMMENT