Destination unreachable (Host administratively prohibited)Firewall still blocking port 53 despite listing...
Replacing Windows 7 security updates with anti-virus?
Why doesn't the EU now just force the UK to choose between referendum and no-deal?
What wound would be of little consequence to a biped but terrible for a quadruped?
What is the likely impact on flights of grounding an entire aircraft series?
What has been your most complicated TikZ drawing?
What is the definition of "Natural Selection"?
How can I discourage/prevent PCs from using door choke-points?
Why must traveling waves have the same amplitude to form a standing wave?
Best approach to update all entries in a list that is paginated?
Is all copper pipe pretty much the same?
Welcoming 2019 Pi day: How to draw the letter π?
What is the difference between "shut" and "close"?
Why does Deadpool say "You're welcome, Canada," after shooting Ryan Reynolds in the end credits?
Single word request: Harming the benefactor
How do anti-virus programs start at Windows boot?
PTIJ: How can I halachically kill a vampire?
Decoding assembly instructions in a Game Boy disassembler
Excess Zinc in garden soil
Good allowance savings plan?
Can "semicircle" be used to refer to a part-circle that is not a exact half-circle?
Do items de-spawn in Diablo?
How does Dispel Magic work against Stoneskin?
What exactly is the purpose of connection links straped between the rocket and the launch pad
Counter-example to the existence of left Bousfield localization of combinatorial model category
Destination unreachable (Host administratively prohibited)
Firewall still blocking port 53 despite listing otherwise?iptables on CentOS 5.5; I want to allow snmp queries from a remote machineiptables port redirection on UbuntuForward http traffic to another ip address with iptablesIptables port forwarding for specific host dd-wrt/tomatoRHEL 6 Having issues forwarding port 80 to port 8080iptables fails to load nf_conntrack_ftpiptables outgoing default policy is accept, but some ports appear blockediptables port forwarding to server with different portiptables not dropping traffic
I'm using a host-only network in virtualbox.
The host (Windows): 192.168.56.1/24
The guest (CentOS): 192.168.56.101/24
There's a simple http server which listens on 0.0.0.0:8080 running in the guest.
"curl http://192.168.56.101:8080/" in the guest machine is OK. But it doesn't work in the host (visited by a browser as curl isn't installed on my Windows).
Ping 192.168.56.101 from the host is OK though. I try to gain some hints by capturing packets on the VirualBox-Host-Only-Network adapter with wireshark. And I see some ICMP packets sent from 192.168.56.101 to 192.168.56.1 which tell me "Destination unreachable (Host administratively prohibited)".
I can visit http://192.168.56.101:8080/ only if I shut down the firewall of the guest (systemctl stop firewalld). But I don't want to do that. I'd like to visit http://192.168.56.101:8080/ from the host while the firewall of the guest is on.
I have searched this for a while and still don't know exactly how. Maybe something with iptables but not familiar with it and feel a little hard to understand. Can someone explain how the following rules work to reject my visit and how to modify it properly (for example in the above situation)?
Thank you.
iptables -nvL --line-numbers (when the firewall is off)
Chain INPUT (policy ACCEPT 72 packets, 6371 bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 51 packets, 9866 bytes)
num pkts bytes target prot opt in out source destination
iptables -nvL --line-numbers (when the firewall is on)
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
2 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
3 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
4 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
5 1 76 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
6 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
7 11 1096 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
8 11 1096 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
9 11 1096 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
10 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
11 11 1096 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
3 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
4 0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
5 0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
6 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
7 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
8 0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
9 0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
10 0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
11 0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
12 0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
13 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
14 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 12 packets, 1204 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68
2 12 1204 OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDI_public all -- enp0s8 * 0.0.0.0/0 0.0.0.0/0 [goto]
2 0 0 FWDI_public all -- enp0s3 * 0.0.0.0/0 0.0.0.0/0 [goto]
3 0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
num pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDO_public all -- * enp0s8 0.0.0.0/0 0.0.0.0/0 [goto]
2 0 0 FWDO_public all -- * enp0s3 0.0.0.0/0 0.0.0.0/0 [goto]
3 0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
num pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public (3 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public (3 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 11 1096 IN_public all -- enp0s8 * 0.0.0.0/0 0.0.0.0/0 [goto]
2 0 0 IN_public all -- enp0s3 * 0.0.0.0/0 0.0.0.0/0 [goto]
3 0 0 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
num pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain IN_public (3 references)
num pkts bytes target prot opt in out source destination
1 11 1096 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2 11 1096 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
3 11 1096 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
Chain IN_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
num pkts bytes target prot opt in out source destination
With ip addr:
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255
enp0s8: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.56.101 netmask 255.255.255.0 broadcast 192.168.56.255
Interface enp0s3 is to use NAT and enp0s8 connects to host-only network. Both lo and virbr0 are not relevant and not listed here.
iptables firewalld
asked Sep 20 '18 at 11:28
miāomiāo
85
add a comment |
I'm using a host-only network in virtualbox.
The host (Windows): 192.168.56.1/24
The guest (CentOS): 192.168.56.101/24
There's a simple http server which listens on 0.0.0.0:8080 running in the guest.
"curl http://192.168.56.101:8080/" in the guest machine is OK. But it doesn't work in the host (visited by a browser as curl isn't installed on my Windows).
Ping 192.168.56.101 from the host is OK though. I try to gain some hints by capturing packets on the VirualBox-Host-Only-Network adapter with wireshark. And I see some ICMP packets sent from 192.168.56.101 to 192.168.56.1 which tell me "Destination unreachable (Host administratively prohibited)".
I can visit http://192.168.56.101:8080/ only if I shut down the firewall of the guest (systemctl stop firewalld). But I don't want to do that. I'd like to visit http://192.168.56.101:8080/ from the host while the firewall of the guest is on.
I have searched this for a while and still don't know exactly how. Maybe something with iptables but not familiar with it and feel a little hard to understand. Can someone explain how the following rules work to reject my visit and how to modify it properly (for example in the above situation)?
Thank you.
iptables -nvL --line-numbers (when the firewall is off)
Chain INPUT (policy ACCEPT 72 packets, 6371 bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 51 packets, 9866 bytes)
num pkts bytes target prot opt in out source destination
iptables -nvL --line-numbers (when the firewall is on)
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
2 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
3 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
4 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
5 1 76 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
6 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
7 11 1096 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
8 11 1096 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
9 11 1096 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
10 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
11 11 1096 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
3 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
4 0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
5 0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
6 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
7 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
8 0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
9 0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
10 0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
11 0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
12 0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
13 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
14 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 12 packets, 1204 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68
2 12 1204 OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDI_public all -- enp0s8 * 0.0.0.0/0 0.0.0.0/0 [goto]
2 0 0 FWDI_public all -- enp0s3 * 0.0.0.0/0 0.0.0.0/0 [goto]
3 0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
num pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDO_public all -- * enp0s8 0.0.0.0/0 0.0.0.0/0 [goto]
2 0 0 FWDO_public all -- * enp0s3 0.0.0.0/0 0.0.0.0/0 [goto]
3 0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
num pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public (3 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public (3 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 11 1096 IN_public all -- enp0s8 * 0.0.0.0/0 0.0.0.0/0 [goto]
2 0 0 IN_public all -- enp0s3 * 0.0.0.0/0 0.0.0.0/0 [goto]
3 0 0 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
num pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain IN_public (3 references)
num pkts bytes target prot opt in out source destination
1 11 1096 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2 11 1096 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
3 11 1096 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
Chain IN_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
num pkts bytes target prot opt in out source destination
With ip addr:
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255
enp0s8: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.56.101 netmask 255.255.255.0 broadcast 192.168.56.255
Interface enp0s3 is to use NAT and enp0s8 connects to host-only network. Both lo and virbr0 are not relevant and not listed here.
iptables firewalld
asked Sep 20 '18 at 11:28
miāomiāo
85
add a comment |
I'm using a host-only network in virtualbox.
The host (Windows): 192.168.56.1/24
The guest (CentOS): 192.168.56.101/24
There's a simple http server which listens on 0.0.0.0:8080 running in the guest.
"curl http://192.168.56.101:8080/" in the guest machine is OK. But it doesn't work in the host (visited by a browser as curl isn't installed on my Windows).
Ping 192.168.56.101 from the host is OK though. I try to gain some hints by capturing packets on the VirualBox-Host-Only-Network adapter with wireshark. And I see some ICMP packets sent from 192.168.56.101 to 192.168.56.1 which tell me "Destination unreachable (Host administratively prohibited)".
I can visit http://192.168.56.101:8080/ only if I shut down the firewall of the guest (systemctl stop firewalld). But I don't want to do that. I'd like to visit http://192.168.56.101:8080/ from the host while the firewall of the guest is on.
I have searched this for a while and still don't know exactly how. Maybe something with iptables but not familiar with it and feel a little hard to understand. Can someone explain how the following rules work to reject my visit and how to modify it properly (for example in the above situation)?
Thank you.
iptables -nvL --line-numbers (when the firewall is off)
Chain INPUT (policy ACCEPT 72 packets, 6371 bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 51 packets, 9866 bytes)
num pkts bytes target prot opt in out source destination
iptables -nvL --line-numbers (when the firewall is on)
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
2 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
3 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
4 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
5 1 76 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
6 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
7 11 1096 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
8 11 1096 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
9 11 1096 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
10 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
11 11 1096 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
3 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
4 0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
5 0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
6 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
7 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
8 0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
9 0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
10 0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
11 0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
12 0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
13 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
14 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 12 packets, 1204 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68
2 12 1204 OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDI_public all -- enp0s8 * 0.0.0.0/0 0.0.0.0/0 [goto]
2 0 0 FWDI_public all -- enp0s3 * 0.0.0.0/0 0.0.0.0/0 [goto]
3 0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
num pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDO_public all -- * enp0s8 0.0.0.0/0 0.0.0.0/0 [goto]
2 0 0 FWDO_public all -- * enp0s3 0.0.0.0/0 0.0.0.0/0 [goto]
3 0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
num pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public (3 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public (3 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 11 1096 IN_public all -- enp0s8 * 0.0.0.0/0 0.0.0.0/0 [goto]
2 0 0 IN_public all -- enp0s3 * 0.0.0.0/0 0.0.0.0/0 [goto]
3 0 0 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
num pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain IN_public (3 references)
num pkts bytes target prot opt in out source destination
1 11 1096 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2 11 1096 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
3 11 1096 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
Chain IN_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
num pkts bytes target prot opt in out source destination
With ip addr:
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255
enp0s8: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.56.101 netmask 255.255.255.0 broadcast 192.168.56.255
Interface enp0s3 is to use NAT and enp0s8 connects to host-only network. Both lo and virbr0 are not relevant and not listed here.
iptables firewalld
asked Sep 20 '18 at 11:28
miāomiāo
85
I'm using a host-only network in virtualbox.
The host (Windows): 192.168.56.1/24
The guest (CentOS): 192.168.56.101/24
There's a simple http server which listens on 0.0.0.0:8080 running in the guest.
"curl http://192.168.56.101:8080/" in the guest machine is OK. But it doesn't work in the host (visited by a browser as curl isn't installed on my Windows).
Ping 192.168.56.101 from the host is OK though. I try to gain some hints by capturing packets on the VirualBox-Host-Only-Network adapter with wireshark. And I see some ICMP packets sent from 192.168.56.101 to 192.168.56.1 which tell me "Destination unreachable (Host administratively prohibited)".
I can visit http://192.168.56.101:8080/ only if I shut down the firewall of the guest (systemctl stop firewalld). But I don't want to do that. I'd like to visit http://192.168.56.101:8080/ from the host while the firewall of the guest is on.
I have searched this for a while and still don't know exactly how. Maybe something with iptables but not familiar with it and feel a little hard to understand. Can someone explain how the following rules work to reject my visit and how to modify it properly (for example in the above situation)?
Thank you.
iptables -nvL --line-numbers (when the firewall is off)
Chain INPUT (policy ACCEPT 72 packets, 6371 bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 51 packets, 9866 bytes)
num pkts bytes target prot opt in out source destination
iptables -nvL --line-numbers (when the firewall is on)
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
2 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
3 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
4 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
5 1 76 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
6 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
7 11 1096 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
8 11 1096 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
9 11 1096 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
10 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
11 11 1096 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
3 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
4 0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
5 0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
6 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
7 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
8 0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
9 0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
10 0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
11 0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
12 0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
13 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
14 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 12 packets, 1204 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68
2 12 1204 OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDI_public all -- enp0s8 * 0.0.0.0/0 0.0.0.0/0 [goto]
2 0 0 FWDI_public all -- enp0s3 * 0.0.0.0/0 0.0.0.0/0 [goto]
3 0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
num pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDO_public all -- * enp0s8 0.0.0.0/0 0.0.0.0/0 [goto]
2 0 0 FWDO_public all -- * enp0s3 0.0.0.0/0 0.0.0.0/0 [goto]
3 0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
num pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public (3 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public (3 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 11 1096 IN_public all -- enp0s8 * 0.0.0.0/0 0.0.0.0/0 [goto]
2 0 0 IN_public all -- enp0s3 * 0.0.0.0/0 0.0.0.0/0 [goto]
3 0 0 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
num pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain IN_public (3 references)
num pkts bytes target prot opt in out source destination
1 11 1096 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
2 11 1096 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
3 11 1096 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
Chain IN_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
num pkts bytes target prot opt in out source destination
With ip addr:
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255
enp0s8: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.56.101 netmask 255.255.255.0 broadcast 192.168.56.255
Interface enp0s3 is to use NAT and enp0s8 connects to host-only network. Both lo and virbr0 are not relevant and not listed here.
iptables firewalld
iptables firewalld
asked Sep 20 '18 at 11:28
miāomiāo
85
asked Sep 20 '18 at 11:28
miāomiāo
85
edited 6 mins ago
miāo
asked Sep 20 '18 at 11:28
miāomiāo
85
asked Sep 20 '18 at 11:28
miāomiāo
85
asked Sep 20 '18 at 11:28
miāomiāo
85
85
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Using firewall-cmd, open the port 8080/tcp, once in the active rules (only triggering a rebuild of the iptables rules with the change) and once in the saved configuration (only saving the change in the configuration in /etc/firewalld/).
# firewall-cmd --add-port=8080/tcp
success
# firewall-cmd --permanent --add-port=8080/tcp
success
UPDATE: allow a whole interface, as asked in comment.
firewalld has a concept of zones. By default actions are done on the public zone., but there are many predefined zones, eg dmz, work, ... and the trusted zone which implicitly trusts everything. The easiest to allow an interface, is to add this interface to the trusted zone. As usual the two command are, once for the configuration (with --permanent) once for the active set (without --permanent. --reload could also work).
# firewall-cmd --zone=trusted --add-interface=enp0s8
# firewall-cmd --permanent --zone=trusted --add-interface=enp0s8
iptables rules will have rules changed accordingly with among them those key rules, visible in the output of iptables-save (I'm just writing a few here, there are many more):
-A FORWARD_IN_ZONES -i enp0s8 -j FWDI_trusted
-A FWDI_trusted -j ACCEPT
-A INPUT_ZONES -i enp0s8 -j IN_trusted
-A IN_trusted -j ACCEPT
Now for example a remote incoming tcp connection to a random port (on an address) on this interface will likely switch from "No route to host" or other "Destination unreachable" error to "Connection refused" error unless there really is a process listening on it.
There are some issues, possibly distribution-dependent for it to always work properly, including after reboot, even if it appears to be fine at start. Example:
Firewalld Adding Interfaces to a Zone Issue
Really, once going beyond the task of opening a few ports, using firewalld instead of directly making one own's rules with iptables can become convoluted, and requires investment in the knowledge of its syntax, which could have been spent in the lower layer's knowledge instead (today iptables, tomorrow nft ...), and requires anyway verifying the results today with iptables-save (tomorrow might become nft list ruleset -a).
answered Sep 23 '18 at 13:50
A.BA.B
1,8272717
Thank you. So I don't need to use the iptables command directly. Later I found there's no iptables service but only the iptables command installed in the guest.
– miāo
Sep 24 '18 at 9:29
After doing this a new line appeared under the IN_public_allow section: "ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 ctstate NEW"
– miāo
Sep 24 '18 at 12:03
@miāo so is it working as intended or is there something still not working? If it's ok, consider accepting the answer.
– A.B
Sep 24 '18 at 20:56
Yes, it works. I accept it now. And... Is there a way to allow all incoming connections of one interface (in this case the enp0s8) regardless of their port numbers?
– miāo
Sep 25 '18 at 2:37
You should ask an other question for this, or at the very least update the question. Anyway I'll update my answer accordingly
– A.B
Sep 25 '18 at 6:20
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f931843%2fdestination-unreachable-host-administratively-prohibited%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Using firewall-cmd, open the port 8080/tcp, once in the active rules (only triggering a rebuild of the iptables rules with the change) and once in the saved configuration (only saving the change in the configuration in /etc/firewalld/).
# firewall-cmd --add-port=8080/tcp
success
# firewall-cmd --permanent --add-port=8080/tcp
success
UPDATE: allow a whole interface, as asked in comment.
firewalld has a concept of zones. By default actions are done on the public zone., but there are many predefined zones, eg dmz, work, ... and the trusted zone which implicitly trusts everything. The easiest to allow an interface, is to add this interface to the trusted zone. As usual the two command are, once for the configuration (with --permanent) once for the active set (without --permanent. --reload could also work).
# firewall-cmd --zone=trusted --add-interface=enp0s8
# firewall-cmd --permanent --zone=trusted --add-interface=enp0s8
iptables rules will have rules changed accordingly with among them those key rules, visible in the output of iptables-save (I'm just writing a few here, there are many more):
-A FORWARD_IN_ZONES -i enp0s8 -j FWDI_trusted
-A FWDI_trusted -j ACCEPT
-A INPUT_ZONES -i enp0s8 -j IN_trusted
-A IN_trusted -j ACCEPT
Now for example a remote incoming tcp connection to a random port (on an address) on this interface will likely switch from "No route to host" or other "Destination unreachable" error to "Connection refused" error unless there really is a process listening on it.
There are some issues, possibly distribution-dependent for it to always work properly, including after reboot, even if it appears to be fine at start. Example:
Firewalld Adding Interfaces to a Zone Issue
Really, once going beyond the task of opening a few ports, using firewalld instead of directly making one own's rules with iptables can become convoluted, and requires investment in the knowledge of its syntax, which could have been spent in the lower layer's knowledge instead (today iptables, tomorrow nft ...), and requires anyway verifying the results today with iptables-save (tomorrow might become nft list ruleset -a).
answered Sep 23 '18 at 13:50
A.BA.B
1,8272717
Thank you. So I don't need to use the iptables command directly. Later I found there's no iptables service but only the iptables command installed in the guest.
– miāo
Sep 24 '18 at 9:29
After doing this a new line appeared under the IN_public_allow section: "ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 ctstate NEW"
– miāo
Sep 24 '18 at 12:03
@miāo so is it working as intended or is there something still not working? If it's ok, consider accepting the answer.
– A.B
Sep 24 '18 at 20:56
Yes, it works. I accept it now. And... Is there a way to allow all incoming connections of one interface (in this case the enp0s8) regardless of their port numbers?
– miāo
Sep 25 '18 at 2:37
You should ask an other question for this, or at the very least update the question. Anyway I'll update my answer accordingly
– A.B
Sep 25 '18 at 6:20
add a comment |
Using firewall-cmd, open the port 8080/tcp, once in the active rules (only triggering a rebuild of the iptables rules with the change) and once in the saved configuration (only saving the change in the configuration in /etc/firewalld/).
# firewall-cmd --add-port=8080/tcp
success
# firewall-cmd --permanent --add-port=8080/tcp
success
UPDATE: allow a whole interface, as asked in comment.
firewalld has a concept of zones. By default actions are done on the public zone., but there are many predefined zones, eg dmz, work, ... and the trusted zone which implicitly trusts everything. The easiest to allow an interface, is to add this interface to the trusted zone. As usual the two command are, once for the configuration (with --permanent) once for the active set (without --permanent. --reload could also work).
# firewall-cmd --zone=trusted --add-interface=enp0s8
# firewall-cmd --permanent --zone=trusted --add-interface=enp0s8
iptables rules will have rules changed accordingly with among them those key rules, visible in the output of iptables-save (I'm just writing a few here, there are many more):
-A FORWARD_IN_ZONES -i enp0s8 -j FWDI_trusted
-A FWDI_trusted -j ACCEPT
-A INPUT_ZONES -i enp0s8 -j IN_trusted
-A IN_trusted -j ACCEPT
Now for example a remote incoming tcp connection to a random port (on an address) on this interface will likely switch from "No route to host" or other "Destination unreachable" error to "Connection refused" error unless there really is a process listening on it.
There are some issues, possibly distribution-dependent for it to always work properly, including after reboot, even if it appears to be fine at start. Example:
Firewalld Adding Interfaces to a Zone Issue
Really, once going beyond the task of opening a few ports, using firewalld instead of directly making one own's rules with iptables can become convoluted, and requires investment in the knowledge of its syntax, which could have been spent in the lower layer's knowledge instead (today iptables, tomorrow nft ...), and requires anyway verifying the results today with iptables-save (tomorrow might become nft list ruleset -a).
answered Sep 23 '18 at 13:50
A.BA.B
1,8272717
Thank you. So I don't need to use the iptables command directly. Later I found there's no iptables service but only the iptables command installed in the guest.
– miāo
Sep 24 '18 at 9:29
After doing this a new line appeared under the IN_public_allow section: "ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 ctstate NEW"
– miāo
Sep 24 '18 at 12:03
@miāo so is it working as intended or is there something still not working? If it's ok, consider accepting the answer.
– A.B
Sep 24 '18 at 20:56
Yes, it works. I accept it now. And... Is there a way to allow all incoming connections of one interface (in this case the enp0s8) regardless of their port numbers?
– miāo
Sep 25 '18 at 2:37
You should ask an other question for this, or at the very least update the question. Anyway I'll update my answer accordingly
– A.B
Sep 25 '18 at 6:20
add a comment |
Using firewall-cmd, open the port 8080/tcp, once in the active rules (only triggering a rebuild of the iptables rules with the change) and once in the saved configuration (only saving the change in the configuration in /etc/firewalld/).
# firewall-cmd --add-port=8080/tcp
success
# firewall-cmd --permanent --add-port=8080/tcp
success
UPDATE: allow a whole interface, as asked in comment.
firewalld has a concept of zones. By default actions are done on the public zone., but there are many predefined zones, eg dmz, work, ... and the trusted zone which implicitly trusts everything. The easiest to allow an interface, is to add this interface to the trusted zone. As usual the two command are, once for the configuration (with --permanent) once for the active set (without --permanent. --reload could also work).
# firewall-cmd --zone=trusted --add-interface=enp0s8
# firewall-cmd --permanent --zone=trusted --add-interface=enp0s8
iptables rules will have rules changed accordingly with among them those key rules, visible in the output of iptables-save (I'm just writing a few here, there are many more):
-A FORWARD_IN_ZONES -i enp0s8 -j FWDI_trusted
-A FWDI_trusted -j ACCEPT
-A INPUT_ZONES -i enp0s8 -j IN_trusted
-A IN_trusted -j ACCEPT
Now for example a remote incoming tcp connection to a random port (on an address) on this interface will likely switch from "No route to host" or other "Destination unreachable" error to "Connection refused" error unless there really is a process listening on it.
There are some issues, possibly distribution-dependent for it to always work properly, including after reboot, even if it appears to be fine at start. Example:
Firewalld Adding Interfaces to a Zone Issue
Really, once going beyond the task of opening a few ports, using firewalld instead of directly making one own's rules with iptables can become convoluted, and requires investment in the knowledge of its syntax, which could have been spent in the lower layer's knowledge instead (today iptables, tomorrow nft ...), and requires anyway verifying the results today with iptables-save (tomorrow might become nft list ruleset -a).
answered Sep 23 '18 at 13:50
A.BA.B
1,8272717
Using firewall-cmd, open the port 8080/tcp, once in the active rules (only triggering a rebuild of the iptables rules with the change) and once in the saved configuration (only saving the change in the configuration in /etc/firewalld/).
# firewall-cmd --add-port=8080/tcp
success
# firewall-cmd --permanent --add-port=8080/tcp
success
UPDATE: allow a whole interface, as asked in comment.
firewalld has a concept of zones. By default actions are done on the public zone., but there are many predefined zones, eg dmz, work, ... and the trusted zone which implicitly trusts everything. The easiest to allow an interface, is to add this interface to the trusted zone. As usual the two command are, once for the configuration (with --permanent) once for the active set (without --permanent. --reload could also work).
# firewall-cmd --zone=trusted --add-interface=enp0s8
# firewall-cmd --permanent --zone=trusted --add-interface=enp0s8
iptables rules will have rules changed accordingly with among them those key rules, visible in the output of iptables-save (I'm just writing a few here, there are many more):
-A FORWARD_IN_ZONES -i enp0s8 -j FWDI_trusted
-A FWDI_trusted -j ACCEPT
-A INPUT_ZONES -i enp0s8 -j IN_trusted
-A IN_trusted -j ACCEPT
Now for example a remote incoming tcp connection to a random port (on an address) on this interface will likely switch from "No route to host" or other "Destination unreachable" error to "Connection refused" error unless there really is a process listening on it.
There are some issues, possibly distribution-dependent for it to always work properly, including after reboot, even if it appears to be fine at start. Example:
Firewalld Adding Interfaces to a Zone Issue
Really, once going beyond the task of opening a few ports, using firewalld instead of directly making one own's rules with iptables can become convoluted, and requires investment in the knowledge of its syntax, which could have been spent in the lower layer's knowledge instead (today iptables, tomorrow nft ...), and requires anyway verifying the results today with iptables-save (tomorrow might become nft list ruleset -a).
answered Sep 23 '18 at 13:50
A.BA.B
1,8272717
edited Sep 25 '18 at 10:37
answered Sep 23 '18 at 13:50
A.BA.B
1,8272717
answered Sep 23 '18 at 13:50
A.BA.B
1,8272717
answered Sep 23 '18 at 13:50
A.BA.B
1,8272717
1,8272717
Thank you. So I don't need to use the iptables command directly. Later I found there's no iptables service but only the iptables command installed in the guest.
– miāo
Sep 24 '18 at 9:29
After doing this a new line appeared under the IN_public_allow section: "ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 ctstate NEW"
– miāo
Sep 24 '18 at 12:03
@miāo so is it working as intended or is there something still not working? If it's ok, consider accepting the answer.
– A.B
Sep 24 '18 at 20:56
Yes, it works. I accept it now. And... Is there a way to allow all incoming connections of one interface (in this case the enp0s8) regardless of their port numbers?
– miāo
Sep 25 '18 at 2:37
You should ask an other question for this, or at the very least update the question. Anyway I'll update my answer accordingly
– A.B
Sep 25 '18 at 6:20
add a comment |
Thank you. So I don't need to use the iptables command directly. Later I found there's no iptables service but only the iptables command installed in the guest.
– miāo
Sep 24 '18 at 9:29
After doing this a new line appeared under the IN_public_allow section: "ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 ctstate NEW"
– miāo
Sep 24 '18 at 12:03
@miāo so is it working as intended or is there something still not working? If it's ok, consider accepting the answer.
– A.B
Sep 24 '18 at 20:56
Yes, it works. I accept it now. And... Is there a way to allow all incoming connections of one interface (in this case the enp0s8) regardless of their port numbers?
– miāo
Sep 25 '18 at 2:37
You should ask an other question for this, or at the very least update the question. Anyway I'll update my answer accordingly
– A.B
Sep 25 '18 at 6:20
Thank you. So I don't need to use the iptables command directly. Later I found there's no iptables service but only the iptables command installed in the guest.
– miāo
Sep 24 '18 at 9:29
Thank you. So I don't need to use the iptables command directly. Later I found there's no iptables service but only the iptables command installed in the guest.
– miāo
Sep 24 '18 at 9:29
After doing this a new line appeared under the IN_public_allow section: "ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 ctstate NEW"
– miāo
Sep 24 '18 at 12:03
After doing this a new line appeared under the IN_public_allow section: "ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 ctstate NEW"
– miāo
Sep 24 '18 at 12:03
@miāo so is it working as intended or is there something still not working? If it's ok, consider accepting the answer.
– A.B
Sep 24 '18 at 20:56
@miāo so is it working as intended or is there something still not working? If it's ok, consider accepting the answer.
– A.B
Sep 24 '18 at 20:56
Yes, it works. I accept it now. And... Is there a way to allow all incoming connections of one interface (in this case the enp0s8) regardless of their port numbers?
– miāo
Sep 25 '18 at 2:37
Yes, it works. I accept it now. And... Is there a way to allow all incoming connections of one interface (in this case the enp0s8) regardless of their port numbers?
– miāo
Sep 25 '18 at 2:37
You should ask an other question for this, or at the very least update the question. Anyway I'll update my answer accordingly
– A.B
Sep 25 '18 at 6:20
You should ask an other question for this, or at the very least update the question. Anyway I'll update my answer accordingly
– A.B
Sep 25 '18 at 6:20
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f931843%2fdestination-unreachable-host-administratively-prohibited%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
