FirewallD configuration in CentOS 7 : SSH fails

Support for security such as Firewalls and securing linux
Post Reply
Navin
Posts: 13
Joined: 2010/01/21 06:29:52

FirewallD configuration in CentOS 7 : SSH fails

Post by Navin » 2014/11/13 07:53:07

Hi,
I have a query regarding the firewall configuration in Centos 7.
The below is the topology of my firewall setup . Using the firewalld to configure firewall which is
the default in Centos 7 .

All virtual machines (VM's) and host are all running Centos 7. VM's are created using KVM.

When SSH is done from VM4 to VM5 i get the below output:
[root@localhost ~]# ssh root@192.168.100.150
ssh: connect to host 192.168.100.150 port 22: No route to host

I am unable to do a SSH from 10.0.0.234/24 (VM4) network to 192.168.100.150/24 (VM5) machine.
Ping from the same succeeds confirming that network connectivity exists.

The below is the details of my set up:
Created 3 networks in Routed mode in the host machine :
10.0.0.0/24 , 192.168.100.0/24 , 192.168.10.0 /24

Firewall is a VM running having 3 interfaces . All the interfaces in the firewall are in public zone.
Configurations in Firewall:

ens8 : 192.168.100.169 : attached to 192.168.100.0/24 network
ens9 : 10.0.0.234 : attached to 10.0.0.0/24 network
ens10 : 192.168.10.134 : attached to 192.168.10.0/24

[root@localhost ~]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:4d:1d:cd brd ff:ff:ff:ff:ff:ff
inet 192.168.100.169/24 brd 192.168.100.255 scope global dynamic ens8
valid_lft 3185sec preferred_lft 3185sec
inet6 fe80::5054:ff:fe4d:1dcd/64 scope link
valid_lft forever preferred_lft forever
3: ens9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:91:41:4b brd ff:ff:ff:ff:ff:ff
inet 10.0.0.220/24 brd 10.0.0.255 scope global dynamic ens9
valid_lft 3122sec preferred_lft 3122sec
inet6 fe80::5054:ff:fe91:414b/64 scope link
valid_lft forever preferred_lft forever
4: ens10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:c5:2e:ab brd ff:ff:ff:ff:ff:ff
inet 192.168.10.134/24 brd 192.168.10.255 scope global dynamic ens10
valid_lft 3321sec preferred_lft 3321sec
inet6 fe80::5054:ff:fec5:2eab/64 scope link
valid_lft forever preferred_lft forever
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:c0:98:82 brd ff:ff:ff:ff:ff:ff


# echo 1 > /proc/sys/net/ipv4/ip_forward ( To enable IPv4 routing)

[root@localhost ~]# ip route show
default via 192.168.10.1 dev ens10 proto static metric 1024
10.0.0.0/24 dev ens9 proto kernel scope link src 10.0.0.220
192.168.10.0/24 dev ens10 proto kernel scope link src 192.168.10.134
192.168.100.0/24 dev ens8 proto kernel scope link src 192.168.100.169


[root@localhost ~]# firewall-cmd --zone=public --list-all
public (default, active)
interfaces: ens10 ens8 ens9
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
Created 2 more virtual machines : VM5, VM4
Configurations at VM5:

Disabled firewall
#firewall-cmd --state
not running

VM5 has a interface eth0 : 192.168.100.150/24

[root@localhost ~]# ip route show
10.0.0.0/24 via 192.168.100.169 dev eth0
192.168.100.0/24 dev eth0 proto kernel scope link src 192.168.100.150
Configurations at VM4:
Configurations at VM4:

Disabled firewall
#firewall-cmd --state
not running

eth0 : 10.0.0.234/24

[root@localhost ~]# ip route show
10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.234
192.168.100.0/24 via 10.0.0.220 dev eth0
Query 1:
------
When SSH is done from VM4 to VM5 i get the below output:

[root@localhost ~]# ssh root@192.168.100.150
ssh: connect to host 192.168.100.150 port 22: No route to host


Did some trouble shooting to dig some details.
Ran packet capture at the ens9 interface at Firewall.
Found that firewall is blocking the SSH from going through. The "admin prohibited" phrase in the output
reflects the blocking. And also stopped firewalld in Firewall VM. Now SSH succeeds indeed confirming
its the Firewall which is blocking.

[root@localhost ~]# tcpdump -ni ens9
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens9, link-type EN10MB (Ethernet), capture size 65535 bytes
12:40:53.761728 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:e0:9e:fa.8002, length 43
12:40:55.761641 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:e0:9e:fa.8002, length 43
12:40:57.761621 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:e0:9e:fa.8002, length 43
12:40:59.761614 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:e0:9e:fa.8002, length 43
12:41:01.761949 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:e0:9e:fa.8002, length 43
12:41:03.761567 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:e0:9e:fa.8002, length 43
12:41:05.761645 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:e0:9e:fa.8002, length 43
12:41:07.761593 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:e0:9e:fa.8002, length 43
12:41:09.761718 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:e0:9e:fa.8002, length 43
12:41:10.815317 IP 10.0.0.234.51372 > 192.168.100.150.ssh: Flags , seq 2594559313, win 14600, options [mss 1460,sackOK,TS val 3712488 ecr 0,nop,wscale 7], length 0
12:41:10.815399 IP 10.0.0.220 > 10.0.0.234: ICMP host 192.168.100.150 unreachable - admin prohibited, length 68


Noted that SSH service is enabled in Firewall VM.

At Firewall VM:
[root@localhost ~]# firewall-cmd --zone=public --list-all
public (default, active)
interfaces: ens10 ens8 ens9
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:



Now, did a SSH from VM4 to Firewall VM's 192.168.100.169 interface . This succeeds. When i disable SSH service
in the Firewall VM, the SSH to FIrewall Vm also fails.

I added a direct rule in the Firewall VM:

#firewall-cmd --direct --add-rule ipv4 filter FWDO_public_allow 0 -m tcp -p tcp --dport 22 -j ACCEPT


After this rule, the SSH from VM4 to VM5 succeeds.


Query 1:
---------
Why should the SSH service gets blocked by the firewall VM even though it should allow it as per the configuration.


Query 2:
---------
Whether the SSH service configured in the Firewall VM is to allow traffic to itself or to protect SSH traffic for other networks ( in my case 192.168.100.0/24 network).


Query 3:
---------
Is there any better way to configure the firewall without using direct rules. I assume the direct rules interface are for applications wanting to add firewall rules. Also direct rules are not permanent.
Tried adding rich rules in the Firewall VM to allow ssh traffic but ssh did not succeed.

looking forward to your opinions to solve the issue.

thanks.

- navin

Navin
Posts: 13
Joined: 2010/01/21 06:29:52

Re: FirewallD configuration in CentOS 7 : SSH fails

Post by Navin » 2014/11/13 08:05:42

Sorry a typo at the Firewall VM in the IP configuration, The IP address at ens9 is 10.0.0.220/24 . This output is also displayed in the ip addr show command.

aks
Posts: 2910
Joined: 2014/09/20 11:22:14

Re: FirewallD configuration in CentOS 7 : SSH fails

Post by aks » 2014/11/13 17:03:48

#firewall-cmd --direct --add-rule ipv4 filter FWDO_public_allow 0 -m tcp -p tcp --dport 22 -j ACCEPT
Is that not the forward chain? Now why would you need to forward SSH to have SSH connectivity? My understanding of direct is that:
1) It's discouraged, like a lot.
2) It's "iptables-esque" or iptables-like for compatibility with people whom can not learn firewalld.
3) It creates "dynamic" iptable chains for input, forward and output.

So is ssh bound to (one or two) interface(s) and needs to go out the third (which would account for the forwarding)?

You seem to know what you're on about, so check sshd_config for where you're binding to and ss -antp to see which interface(s) are bound. I'm guessing really, but I think the "it works" rule is on the forward chain of the firewall.

lingling
Posts: 3
Joined: 2014/11/12 21:05:16

Re: FirewallD configuration in CentOS 7 : SSH fails

Post by lingling » 2014/11/27 02:40:23

Rather than a direct rule, try adding your hosts to the trusted zone, i.e. firewall-cmd --zone=trusted --add-source=IPADDRESS

Also, are you sure of your ssh configuration on these hosts? Is PermitRootLogin set to off maybe?

Post Reply

Return to “CentOS 7 - Security Support”