• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

Issue Opening a Firewalld Port in CentOS/RHEL 8

by admin

The Problem

We have opened a new port or added a service in firewalld fail without error. In the server, port 80 is opened as per below output:

# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens3
  sources:
  services: cockpit dhcpv6-client ssh
  ports: 80/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

But when trying to connect from another host, below error is reported:

$ nc -v [SERVER_IP_ADDRESS] 80
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: No route to host.

The Solution

By default, the firewalld backend is configured to nftables. Direct rules used by firewalld might impact the way the rules are applied:

Direct rules that ACCEPT packets don’t actually cause the packets to be immediately accepted by the system. Those packets are still subject to firewalld’s nftables ruleset. For direct rules that DROP packets, the packets are immediately dropped. If a general DROP or REJECT rule is configured as the last of direct rules, it will cause all nftables rules to be ignored.

The last line in the following command is one example:

# iptables -vnxL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
    2133   309423 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
      27     1620 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
      10      524 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
      93     4740 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

It can also be verified that it is configured in firewalld direct rules:

# grep -B4 INPUT /etc/firewalld/direct.xml
<?xml version="1.0" encoding="utf-8"?>
<direct>

    <passthrough ipv="ipv4">-N BareMetalInstanceServices</passthrough>
    <passthrough ipv="ipv4">-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT</passthrough>
    <passthrough ipv="ipv4">-A INPUT -p icmp -j ACCEPT</passthrough>
    <passthrough ipv="ipv4">-A INPUT -i lo -j ACCEPT</passthrough>
    <passthrough ipv="ipv4">-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT</passthrough>
    <passthrough ipv="ipv4">-A INPUT -j REJECT --reject-with icmp-host-prohibited</passthrough>

Verify if direct rules are really necessary, probably the important rules are already configured in “normal” rules. To completely remove direct rules, remove the file /etc/firewalld/direct.xml.

# mv /etc/firewalld/direct.xml /etc/firewalld/direct.xml_bck

If direct rules are needed, remove the last resource rule, with REJECT, in the direct rules and configure it in nftables/firewalld.

Filed Under: CentOS/RHEL 8, Linux

Some more articles you might also be interested in …

  1. lsmod: command not found
  2. cp: omitting directory – error while copying a directory in Linux
  3. rsync: command not found
  4. calcurse Command Examples in Linux
  5. How to monitor /etc/shadow and /etc/passwd file for changes with Auditd?
  6. How to delete a partition using fdisk
  7. RHEL 7 – RHCSA Notes – input / output redirection
  8. swapon and swapoff Command Examples in Linux
  9. arpspoof: command not found
  10. mkswap: command not found

You May Also Like

Primary Sidebar

Recent Posts

  • aws ec2: CLI for AWS EC2 (Command Examples)
  • aws cur – Create, query, and delete AWS usage report definitions (Command Examples)
  • aws configure – Manage configuration for the AWS CLI (Command Examples)
  • aws cognito-idp: Manage Amazon Cognito user pool and its users and groups using the CLI

© 2023 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright