Problem about firewalld

Support for security such as Firewalls and securing linux
Post Reply
khoa135789
Posts: 2
Joined: 2019/07/09 05:35:54

Problem about firewalld

Post by khoa135789 » 2019/07/09 06:00:18

I have two CentOS7 as server1 and server2
- On server1, I added 2 network adapter called ens36 & ens37
ens36: This one to connect to the Internet
IP: 192.168.109.150
GATEWAY: 192.168.109.2
DNS1=8.8.8.8
ens37:
IP: 192.168.2.254
- On server2, I have one network adapter called ens33
ens33:
IP: 192.168.2.1
GATEWAY: 192.168.2.254
DNS1: 8.8.8.8
I configure NAT-Out on server1 to get Internet access to server2. After that, I install and configure Web on server2 then I use this following command to public the Web for PC client to connect: #firewall-cmd --permanent --add-forward-port=port=80:proto=tcp:toaddr=192.168.2.1
PC with IP: 192.168.109.151 can connect to Web but something happend
When I tried to install another service like vsftpd or something else on Server2, I got error named: No presto metadata available for base
But when I changed IP and GATEWAY to 192.168.109.*, it installed well
Any idea how to fix it? Thanks in advanced :D

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Problem about firewalld

Post by TrevorH » 2019/07/09 06:17:06

I don't think that's a firewalld problem. You have two GATEWAY= lines in different ifcfg files and that never ends well. Remove it from the one that should not have the default route.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Problem about firewalld

Post by jlehtone » 2019/07/09 11:45:16

Lets verify:

server1
* has ens36 connected to ISP
* has ens37 connected to ens33 of server2
* default route via ISP

server2
* has ens33 connected to ens37 of server1
* default route via server1

You did not show PREFIX so we don't know whether your subnets overlap (by mistake).
But when I changed IP and GATEWAY to 192.168.109.*, it installed well
In that case the ens33 is connected to the ISP too. That is an error.
If you want the server2 to be behind server1, then you have to put it behind, not leave on the side.

I would set the connection.zone of server1:ens36 to be external. That enables NAT on ens36 and routing on server1.
(You did say that you did configure NAT-Out somehow, but did not tell how.)

I can't remember whether public->external forwarding is allowed.
(The default zone is public and you want to forward server2->ens37->ens36->ISP.)


You have to get your basic setup right first. After that you can add those port forwarding (aka DNAT) rules.

khoa135789
Posts: 2
Joined: 2019/07/09 05:35:54

Re: Problem about firewalld

Post by khoa135789 » 2019/07/10 16:59:35

After I configured NAT-out on server1, server2 could connect to ISP through server1 and use yum
I yum install httpd to make web on server2 then I use this command on server1: #firewall-cmd --permanent --add-forward-port=port=80:proto=tcp:toaddr=192.168.2.1 to public the web
PC client could connect the web but when I return to server2 to use yum install again to get another service. It didn't work, it showed "No presto metadata available for base", sometimes "Network is unreacheable"
I still can ping to dns server by ip and names but cannot use yum :?

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Problem about firewalld

Post by jlehtone » 2019/07/10 17:49:58

Sorry, missed an elementary previously.

When something arrives to server1 and is destined to port 80, you DNAT it to port 80 of 192.168.2.1.

Arrives to server1.

When yum on server2 attempts to contact a repository, does it not send packet to port 80 of repository?
Yes. The packet goes to server1 first. Arrives to server1.
Server1 forwards that packet to server2. The httpd on server2 says: "wut?"


You want to port-forward some connections that arrive from outside.
You must not port-forward connections that arrive from inside.


man firewall-cmd wrote:--add-forward-port
Add the IPv4 forward port for zone. If zone is omitted, default zone will be used.
Default zone.

Are both interfaces on the same zone? That would explain the symptoms.
I configured NAT-out on server1
That can be done many ways. Can I assume that the method you have used (but not told us) is not suitable for your situation?

Post Reply