firewalld blocking ssh into qemu guest

Support for security such as Firewalls and securing linux
Post Reply
xavier01
Posts: 3
Joined: 2016/03/28 18:26:07

firewalld blocking ssh into qemu guest

Post by xavier01 » 2016/03/28 18:54:21

Hi all,

Having issues with firewall-cmd blocking ssh into a guest vm.

My host server is running centos 7,freshly installed as a vm server. ip 192.168.1.100, the virbr0 is 192.168.122.1
The guest vm is also running centos7, ip 192.168.122.100

trying to log into the guest vm via ssh with my laptop at 192.168.1.40 results in a connection refused. It's definitely the firewall causing the issue, if i disable it, i can connect.
If i use an iptable rule: iptables -I FORWARD 4 -p -tcp -m iprange --src-range 192.168.1.1-192.168.255.255 -j ACCEPT. This works, but of course doesn't survive a reboot, and also, kind of defeats the purpose of the firewalld service.

i have tried creating a direct passthrough rule, which works, and then i make it permanent, it still works, then i reload the firewall, and it doesn't work anymore, it's still listed in the direct.xml, just doesn't work.
In fact every variation of a direct rule i've made permanent, some of them work, all of them don't work after a reload.
i have also tried adding the source ip to the zone. tried adding the service ssh.
I have tried port forwarding.

I'm am at a loss and have spent many hours trying to figure this out and reading up on firewalld, to no avail :(

Ideally, this server is going to host 6 or 7 vms, all of them should be able to communicate with each other and with other computers on my local network, and possibly 1 or 2 vms will need to be accessible from the internet.

any help would be greatly appreciated.

Thanks


EDIT: does anyone have any ideas? Because i've found that it is a bigger issue than i first realized. In addition to ssh, i also cannot access spacewalk from any network computer except the host. And to top it off, if i turn off the host firewall, the guest loses internet access. Without network access, the spacewalk vm is useless, as i won't be able to create backing stores, or ISCSI LUN's on my external storage, or manage any other computers :(
I am still learning centos 7 and firewall, so maybe i'm missing something really simple.

aks
Posts: 2891
Joined: 2014/09/20 11:22:14

Re: firewalld blocking ssh into qemu guest

Post by aks » 2016/03/29 16:05:22

Can you post your /etc/firewalld/zones/direct.xml?

Can you post ls -lh /etc/firewalld/zones/direct.xml and ls -lhZ /etc/firewalld/zones/direct.xml?

The docs say "The rules can be made permanent by adding the --permanent option using the firewall-cmd --permanent --direct command or by modifying /etc/firewalld/direct.xml. See man firewalld.direct(5) for information on the /etc/firewalld/direct.xml file." on this subject (and there are examples in the docs, see 4.5.3.6.1. of https://access.redhat.com/documentation ... _firewalld)

I know you can forward a port (see 4.5.3.4.13. of https://access.redhat.com/documentation ... _firewalld) or you could forward to a different zone (assumes you have two interfaces, each in a separate zones).

If the port forward thing is acceptable to you, you could use the rich rules syntax to permit port forwarding based on source address (as opposed to just forwarding anything - see the docs).

I think you're looking at one of the (countless) limits of firewalld, suggest you use iptables (see 4.5.4. of https://access.redhat.com/documentation ... _firewalld)

xavier01
Posts: 3
Joined: 2016/03/28 18:26:07

Re: firewalld blocking ssh into qemu guest

Post by xavier01 » 2016/03/29 23:45:38

Hi aks,

Thank your for replying.

My direct.xml currently has nothing in it, as i reset the firewalld after a failed attempt, so i don't create a mess with rules. But, this is my /etc/firewalld/direct.xml.old files which was the last thing i tried before giving up and reseting it.

Code: Select all

<?xml version="1.0" encoding="utf-8"?>
<direct>
  <rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-s 192.168.0,0/16 -j ACCEPT</rule>
</direct>
Here is ls -lh

Code: Select all

-rw-r--r--. 1 root root  58 Mar 28 13:14 direct.xml
-rw-r--r--. 1 root root 156 Mar 28 12:45 direct.xml.old
And ls -lhZ

Code: Select all

-rw-r--r--. root root system_u:object_r:firewalld_etc_rw_t:s0 direct.xml
-rw-r--r--. root root system_u:object_r:firewalld_etc_rw_t:s0 direct.xml.old
These files weren't in the zones folder, just /etc/firewalld/

just to give you an example of some of the commands i've tried that don't seem to survive a reload.

Code: Select all

firewall-cmd --direct --passthrough ipv4 -I FORWARD -i virbr0 -j ACCEPT
firewall-cmd --direct --passthrough ipv4 -I FORWARD -o virbr0 -j ACCEPT
firewall-cmd --permanent --direct --passthrough ipv4 -I FORWARD -i virbr0 -j ACCEPT
firewall-cmd --permanent --direct --passthrough ipv4 -I FORWARD -o virbr0 -j ACCEPT
this worked until i reload the firewall.
Also tried this

Code: Select all

firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -s 192.168.0.0/16 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -s 192.168.0.0/16 -j ACCEPT
i tried port forwarding via the GUI, i couldn't get it to work at all. I tried port 22 on the host machine 192.168.1.100 forward to guest machine 192.168.122.100, port 22. Then i tried to SSH to 192.168.1.100. I tried other variations, like changing the ssh daemon listening port to 2201, and forwarding to that port.
Also, tried creating a rich rule based on examples, but again, it either didn't work or worked until a firewall reload.


I have noticed some error messages in the systemctl status.

Code: Select all

Mar 29 10:06:04 CENSER firewalld[20170]: 2016-03-29 10:06:04 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete FORWARD --destination 192.168.122.0/24 --out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Mar 29 10:06:04 CENSER firewalld[20170]: 2016-03-29 10:06:04 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete FORWARD --source 192.168.122.0/24 --in-interface virbr0 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Mar 29 10:06:04 CENSER firewalld[20170]: 2016-03-29 10:06:04 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete FORWARD --in-interface virbr0 --out-interface virbr0 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Mar 29 10:06:04 CENSER firewalld[20170]: 2016-03-29 10:06:04 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete FORWARD --out-interface virbr0 --jump REJECT' failed: iptables: No chain/target/match by that name.
Mar 29 10:06:04 CENSER firewalld[20170]: 2016-03-29 10:06:04 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete FORWARD --in-interface virbr0 --jump REJECT' failed: iptables: No chain/target/match by that name.
Mar 29 10:06:04 CENSER firewalld[20170]: 2016-03-29 10:06:04 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete INPUT --in-interface virbr0 --protocol udp --destination-port 53 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Mar 29 10:06:04 CENSER firewalld[20170]: 2016-03-29 10:06:04 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete INPUT --in-interface virbr0 --protocol tcp --destination-port 53 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Mar 29 10:06:04 CENSER firewalld[20170]: 2016-03-29 10:06:04 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete OUTPUT --out-interface virbr0 --protocol udp --destination-port 68 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Mar 29 10:06:04 CENSER firewalld[20170]: 2016-03-29 10:06:04 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete INPUT --in-interface virbr0 --protocol udp --destination-port 67 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Mar 29 10:06:04 CENSER firewalld[20170]: 2016-03-29 10:06:04 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete INPUT --in-interface virbr0 --protocol tcp --destination-port 67 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Port forwarding would have worked fine for just ssh, but spacewalk requires several ports to be open and that would get messy.

aks
Posts: 2891
Joined: 2014/09/20 11:22:14

Re: firewalld blocking ssh into qemu guest

Post by aks » 2016/03/30 17:08:46

Okay it looks like you've got a bunch of invalid deletes in there - best to start from the begining again.

Firewalld is actually just a "shim" over iptables - I suspect it's just there to abstract us from iptables so RH can move to another firewall at some point (perhaps nftables?). One of the (many) limits with firewalld is chain support. There probably is a way, but it's not every well documented, I've looked at firewall-cmd and rich-language - not mention of forwarding chain (well except for over the direct interface).

So I did what you did:
# firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -s 192.168.0.0/16 -j ACCEPT
success
(NOTE: this created the file cat /etc/firewalld/direct.xml - NOT cat /etc/firewalld/zones/direct.xml as I said earlier)
# firewall-cmd --direct --get-all-rules
ipv4 filter FORWARD 0 -s 192.168.0.0/16 -j ACCEPT
# systemctl restart firewalld
# firewall-cmd --direct --get-all-rules
ipv4 filter FORWARD 0 -s 192.168.0.0/16 -j ACCEPT
# firewalld --complete-reload
# firewall-cmd --direct --get-all-rules
ipv4 filter FORWARD 0 -s 192.168.0.0/16 -j ACCEPT

so it does work. Now, in (one of the various) the release notes (or it could be in the docs) there was a warning about (for example), sysctl (which includes setting ip_forward to on) not loading before firewalld, in which case firewalld IGNORES forwarding (as the machine is not in forwarding mode). But that's from boot. I'm guessing that's the issue or something to do with all the other errors you have.

Edit: I've just checked my journal/systemctl status and I now have the same "internal errors" you have! I'm probably going to delete the direct.xml and reboot, because strace suggests that --complete-reload DOESN'T actually reload (at least to my mind) - it adds - stuff that's in memory is kept and whatever is on disk that's not in memory is added, I can't see an evidence of (well the direct rules) being removed! The direct interface is supposed to be for programs to manipulate the firewall (I think via dbus) - not for us mere mortals, so maybe that's why.

If you really want to get this sorted out without all the hassle, just switch to iptables and do it the "old" way and be done - but that'll probably come back to bite sometime later. That's what I'd do.

xavier01
Posts: 3
Joined: 2016/03/28 18:26:07

Re: firewalld blocking ssh into qemu guest

Post by xavier01 » 2016/03/31 13:41:36

thanks for being so thorough.

I thought i had read a bug report or something which stated that all those invalid deletes were firewalld's way of "checking to make sure those rules aren't present", but i could be mixing things up. I read through a lot of bug reports, forum posts, instruction manuals, and might be confusing information.

The problem wasn't that the actual rules i input would disappear. Whatever rules i entered would stay, but for some reason, would stop working. My laptop could connect thru ssh, but on a reload, it would revert to connection refused.

While digging around, i did notice something interesting, i did an iptables save, and found this in the post routing table.

Code: Select all

-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
and this in the forward chain.

Code: Select all

-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
Now, my understanding of how iptables moves packets through the chains still needs some work, but it seems odd that there would be masquerade rules present for post-routing, when i am not masquerading interfaces. And this is the base iptables before i made any changes, So it looks like there are forwarding rules present that SHOULD allow connections through, but don't. Maybe what you said about the systemctl not loading before the firewalld service DOES have something to do with why it seems to be ignoring rules that are already in the default iptables. I will look into the boot process and see what is getting loaded and when.

I considered switching to iptables, but like you said, it might come back to bite me later. So, for now, i have resigned myself keeping firewalld and adding a forward rule to iptables on startup, i will probably create a startup script to make sure i don't forget.

Again, thanks for your input, it was very helpful

Post Reply

Return to “CentOS 7 - Security Support”