The Geek Diary

Issue Opening a Firewalld Port in CentOS/RHEL 8

by

The Problem

We have opened a new port or added a service in firewalld fail without error. In the server, port 80 is opened as per below output:

# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens3
  sources:
  services: cockpit dhcpv6-client ssh
  ports: 80/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

But when trying to connect from another host, below error is reported:

$ nc -v [SERVER_IP_ADDRESS] 80
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: No route to host.

The Solution

By default, the firewalld backend is configured to nftables. Direct rules used by firewalld might impact the way the rules are applied:

Direct rules that ACCEPT packets don’t actually cause the packets to be immediately accepted by the system. Those packets are still subject to firewalld’s nftables ruleset. For direct rules that DROP packets, the packets are immediately dropped. If a general DROP or REJECT rule is configured as the last of direct rules, it will cause all nftables rules to be ignored.

The last line in the following command is one example:

# iptables -vnxL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
    2133   309423 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
      27     1620 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
      10      524 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
      93     4740 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

It can also be verified that it is configured in firewalld direct rules:

# grep -B4 INPUT /etc/firewalld/direct.xml
<?xml version="1.0" encoding="utf-8"?>
<direct>

    <passthrough ipv="ipv4">-N BareMetalInstanceServices</passthrough>
    <passthrough ipv="ipv4">-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT</passthrough>
    <passthrough ipv="ipv4">-A INPUT -p icmp -j ACCEPT</passthrough>
    <passthrough ipv="ipv4">-A INPUT -i lo -j ACCEPT</passthrough>
    <passthrough ipv="ipv4">-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT</passthrough>
    <passthrough ipv="ipv4">-A INPUT -j REJECT --reject-with icmp-host-prohibited</passthrough>

Verify if direct rules are really necessary, probably the important rules are already configured in “normal” rules. To completely remove direct rules, remove the file /etc/firewalld/direct.xml.

# mv /etc/firewalld/direct.xml /etc/firewalld/direct.xml_bck

If direct rules are needed, remove the last resource rule, with REJECT, in the direct rules and configure it in nftables/firewalld.

You May Also Like