Page 1 of 1

Problem about firewalld

Posted: 2019/07/09 06:00:18
by khoa135789
I have two CentOS7 as server1 and server2
- On server1, I added 2 network adapter called ens36 & ens37
ens36: This one to connect to the Internet
- On server2, I have one network adapter called ens33
I configure NAT-Out on server1 to get Internet access to server2. After that, I install and configure Web on server2 then I use this following command to public the Web for PC client to connect: #firewall-cmd --permanent --add-forward-port=port=80:proto=tcp:toaddr=
PC with IP: can connect to Web but something happend
When I tried to install another service like vsftpd or something else on Server2, I got error named: No presto metadata available for base
But when I changed IP and GATEWAY to 192.168.109.*, it installed well
Any idea how to fix it? Thanks in advanced :D

Re: Problem about firewalld

Posted: 2019/07/09 06:17:06
by TrevorH
I don't think that's a firewalld problem. You have two GATEWAY= lines in different ifcfg files and that never ends well. Remove it from the one that should not have the default route.

Re: Problem about firewalld

Posted: 2019/07/09 11:45:16
by jlehtone
Lets verify:

* has ens36 connected to ISP
* has ens37 connected to ens33 of server2
* default route via ISP

* has ens33 connected to ens37 of server1
* default route via server1

You did not show PREFIX so we don't know whether your subnets overlap (by mistake).
But when I changed IP and GATEWAY to 192.168.109.*, it installed well
In that case the ens33 is connected to the ISP too. That is an error.
If you want the server2 to be behind server1, then you have to put it behind, not leave on the side.

I would set the of server1:ens36 to be external. That enables NAT on ens36 and routing on server1.
(You did say that you did configure NAT-Out somehow, but did not tell how.)

I can't remember whether public->external forwarding is allowed.
(The default zone is public and you want to forward server2->ens37->ens36->ISP.)

You have to get your basic setup right first. After that you can add those port forwarding (aka DNAT) rules.

Re: Problem about firewalld

Posted: 2019/07/10 16:59:35
by khoa135789
After I configured NAT-out on server1, server2 could connect to ISP through server1 and use yum
I yum install httpd to make web on server2 then I use this command on server1: #firewall-cmd --permanent --add-forward-port=port=80:proto=tcp:toaddr= to public the web
PC client could connect the web but when I return to server2 to use yum install again to get another service. It didn't work, it showed "No presto metadata available for base", sometimes "Network is unreacheable"
I still can ping to dns server by ip and names but cannot use yum :?

Re: Problem about firewalld

Posted: 2019/07/10 17:49:58
by jlehtone
Sorry, missed an elementary previously.

When something arrives to server1 and is destined to port 80, you DNAT it to port 80 of

Arrives to server1.

When yum on server2 attempts to contact a repository, does it not send packet to port 80 of repository?
Yes. The packet goes to server1 first. Arrives to server1.
Server1 forwards that packet to server2. The httpd on server2 says: "wut?"

You want to port-forward some connections that arrive from outside.
You must not port-forward connections that arrive from inside.

man firewall-cmd wrote:--add-forward-port
Add the IPv4 forward port for zone. If zone is omitted, default zone will be used.
Default zone.

Are both interfaces on the same zone? That would explain the symptoms.
I configured NAT-out on server1
That can be done many ways. Can I assume that the method you have used (but not told us) is not suitable for your situation?