Ho to convert Susefirewall2 FW_FORWARD_MASQ to firewalld

fmalfatto · February 14, 2020, 6:39pm

I have succesfully converted from Susefiwall2 to firewalld, but I still have one rule I cannot obtain:

FW_FORWARD_MASQ="
0/0,192.168.168.6,tcp,21,21,a.b.c.150
0/0,192.168.168.6,tcp,60000:60100,a.b.c.150
0/0,192.168.168.5,tcp,21,21,a.b.c.149
0/0,192.168.168.5,tcp,60000:60100,a.b.c.149
"

I have two internal FTP servers (192.168.168.5 and 192.168.168.6) that should be externally reached in passive mode addressing two public IPs on the external interface (a.b.c.149 and a.b.c.150) . In Susefirewall2 this was working perfectly, but in firewalld I can forward the single port 21 , but it does not accept the 60000:60100 needed for passive ftp.

How can I achieve this configuration?
TY in advance

tsu2 · February 14, 2020, 6:51pm

I haven’t tried it for your situation,
You can try running the migration tool described in the following

https://en.opensuse.org/Firewalld

TSU

deano_ferrari · February 15, 2020, 5:01am

This should be enough to be of guidance…
https://www.server-world.info/en/note?os=CentOS_7&p=firewalld&f=2

Firewalld documentation with some examples…
https://firewalld.org/documentation/man-pages/firewalld.richlanguage.html

fmalfatto · February 15, 2020, 8:17am

I tried the converter and read all the available documents, but I could not find any referral to such case.
All the examples are about forwarding one ip:port to another ip:port.
I need to forward ip-ext:port-port to ip-int:port-port

deano_ferrari · February 15, 2020, 8:54am

Does example 5 in the second link I gave not help?

fmalfatto · February 15, 2020, 9:35pm

Example 5 says: Forward IPv6 port/packets receiving from 1:2:3:4:6:: on port 4011 with protocol tcp to 1::2:3:4:7 on port 4012

It forwards without masquerading a single port to a different port of another address.

I need to forward with masquerading a range of ports to the same range of another address.

fmalfatto · February 15, 2020, 10:08pm

I tried this rule but it does not work:

deano_ferrari · February 15, 2020, 10:54pm

You also need to activate masquerading. For example assuming the ‘public’ zone…

sudo firewall-cmd --zone=public --add-masquerade

arvidjaar · February 16, 2020, 6:49am

You need to-addr=192.168.168.5. “destination” element is for matching packets, not for specifying port forwarding destination.

tsu2 · February 16, 2020, 8:13am

Took a look at this,
And it looks like firewalld should support PASV FTP by default.

Required:
Configure your FTP application according to its documentation to specify the secondary port range (PASV data ports)
Using the YaST module which invokes the firewalld GUI interface or firewall-cmd, enable the ftp service (provided in all installations) for your default zone (and other zones as may be needed). The default installed zone is the Public zone. Do not create a new FTP service, without special configuration it will support only Active FTP.
Verify that kernel modules are installed that support nftables and specifically nf_conntrack_ftp For comparison, the following is the command and result on my TW

# lsmod | grep nf_nat_ftp
nf_nat_ftp             16384  0
nf_conntrack_ftp       20480  3 nf_nat_ftp
nf_nat                 32768  3 nf_nat_ftp,nf_nat_ipv6,nf_nat_ipv4
nf_conntrack          155648  9 nf_conntrack_ipv6,nf_conntrack_ftp,nf_conntrack_ipv4,nf_nat_ftp,xt_CT,nf_nat_ipv6,xt_conntrack,nf_nat_ipv4,nf_nat

Note that nf_conntrack_ftp is supposed to support stateful packet inspection which means that the secondary PASV data ports should normally be closed but opened as needed for a particular client connection… So for instance you normally test for open ports unless the FTP connection is active.

If all of the above are configured correctly, then the firewall should support PASV FTP.

If you’re still having problems,
Describe what FTP app you’re using and the FTP client(s) used and depending on the client how it’s being configured for PASV connections.

TSU

fmalfatto · February 16, 2020, 11:21am

 # lsmod | grep nf_nat_ftp
nf_nat_ftp             16384  0
nf_conntrack_ftp       20480  1 nf_nat_ftp
nf_nat                 32768  6 xt_nat,nf_nat_ftp,nf_nat_masquerade_ipv6,nf_nat_ipv6,nf_nat_masquerade_ipv4,nf_nat_ipv4
nf_conntrack          155648  15 xt_nat,nf_conntrack_ipv6,nf_conntrack_ftp,nf_conntrack_ipv4,ipt_MASQUERADE,nf_conntrack_broadcast,nf_nat_ftp,nf_nat_masquerade_ipv6,nf_conntrack_netbios_ns,nf_nat_ipv6,nf_nat_masquerade_ipv4,ip6t_MASQUERADE,xt_conntrack,nf_nat_ipv4,nf_nat

External.xml:

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>External</short>
  <description>For use on external networks. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <interface name="eth3"/>
  <service name="ssh"/>
  <service name="dns"/>
  <service name="ftp"/>
  <service name="apache2"/>
  <service name="apache2-ssl"/>
  <service name="openvpn"/>
  <service name="svn"/>
  <port port="1956" protocol="tcp"/>
  <masquerade/>
  <rule family="ipv4">
    <source address="a.b.c.149"/>
    <destination address="192.168.168.5"/>
    <forward-port port="21" protocol="tcp" to-port="21"/>
    <log level="info"/>
  </rule>
  <rule family="ipv4">
    <source address="a.b.c.150"/>
    <destination address="192.168.168.6"/>
    <forward-port port="21" protocol="tcp" to-port="21"/>
    <log level="info"/>
  </rule>
  
  <rule family="ipv4">
    <source address="a.b.c.149"/>
    <destination address="192.168.168.5"/>
    <forward-port port="60000-60100" protocol="tcp" to-port="60000-60100" to-addr="192.168.168.5" />
    <log level="info"/>
  </rule>
  <rule family="ipv4">
    <source address="a.b.c.150"/>
    <destination address="192.168.168.6"/>
    <forward-port port="60000-60100" protocol="tcp" to-port="60000-60100" to-addr="192.168.168.6" />
    <log level="info"/>
  </rule>
</zone>

And I have no changes at all, I have “ftp: connect: Connection refused” from any client to the two different servers.
If I restart Susefirewall2 it works perfectly

arvidjaar · February 16, 2020, 11:38am

fmalfatto:

...
    <destination address="192.168.168.5"/>
    <forward-port port="21" protocol="tcp" to-port="21"/>
...
    <destination address="192.168.168.6"/>
    <forward-port port="21" protocol="tcp" to-port="21"/>

I have “ftp: connect: Connection refused” from any client to the two different servers.

If you need to-addr in one rule, you also need to-addr in another rule.

fmalfatto · February 16, 2020, 12:27pm

TY!!!

I was confused by “destination address” line and “to-addr” value. The manual is not clear about this. The destination address is the external public address where to send the packets, and to-addr is the internal address where packets are targeted.
Resolved this way:

<rule family="ipv4">
  <destination address="a.b.c.149"/>
  <forward-port port="21" protocol="tcp" to-port="21" to-addr="192.168.168.5"/>
 </rule>
 <rule family="ipv4">
  <destination address="a.b.c.149"/>
  <forward-port port="60000-60100" protocol="tcp" to-port="60000-60100" to-addr="192.168.168.5" />
 </rule>

<rule family="ipv4">
  <destination address="a.b.c.150"/>
  <forward-port port="21" protocol="tcp" to-port="21" to-addr="192.168.168.6"/>
 </rule>
 <rule family="ipv4">
  <destination address="a.b.c.150"/>
  <forward-port port="60000-60100" protocol="tcp" to-port="60000-60100" to-addr="192.168.168.6" />
 </rule>