Firewalld: setting up port forwarding of ports 80/443 blocks internet access for client
by iacchi from LinuxQuestions.org on (#57V8Y)
I'm new to networking at this level of complexity and this might be a stupid question, so sorry in advance. For reasons, I have a NAS (Synology) with ethernet only which I cannot connect to the wired network of the place where I work (IT won't allow it), so I'm setting up a raspberry pi (with Raspbian) to act as a router/internet connection sharing device to bring the NAS on the network via wifi. This is the setup:
workplace(wifi) <---> rpi(wifi, dhcp)---rpi(dhcp server, firewalld)---rpi(ethernet) <---> nas(ethernet, dhcp)
I have managed to configure both wifi and ethernet connections properly, set up the dhcp server properly (on eth0), and enable masquerading on firewalld so that the NAS can get to the internet. The NAS is supposed to host, among other things, a web server, so I need to forward ports 80 and 443 directly to the NAS. Here is where my problems start. As soon as I forward port 80 this way:
Code:firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=80:toaddr=NAS_IPThe NAS webserver is visible from other machines in the workplace network, but the NAS itself doesn't have internet access anymore, as any http request is redirected to its own webserver, rather than the internet. If I remove the port forward the connectivity comes back, but of course I cannot access the webserver anymore. This is my current firewalld configuration: https://pastebin.com/2CmkNxSB (notice that wlan0 is inside the public zone, while eth0 is inside the trusted zone; in this configuration ports 80 and 443 are not forwarded, but when it's in place the forward would go together with all the others in the public zone)
I know that an easy solution would be to move the webserver to a different port, but I really want to keep it on port 80 to make things easy for the users. I've read this bug report that looks like the issue I'm having, but it also looks like it's been solved already (although the version installed on the system is 0.6.3, so I'm not entirely sure about that). I would like to know if this is a bug in the program, or if I've just been dumb with my configuration. I've also tried to update firewalld to version 0.8.3 from the debian testing repos, but although the install succeeds after installing all the right dependencies, the service won't start.
Thanks in advance for any help provided.
workplace(wifi) <---> rpi(wifi, dhcp)---rpi(dhcp server, firewalld)---rpi(ethernet) <---> nas(ethernet, dhcp)
I have managed to configure both wifi and ethernet connections properly, set up the dhcp server properly (on eth0), and enable masquerading on firewalld so that the NAS can get to the internet. The NAS is supposed to host, among other things, a web server, so I need to forward ports 80 and 443 directly to the NAS. Here is where my problems start. As soon as I forward port 80 this way:
Code:firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=80:toaddr=NAS_IPThe NAS webserver is visible from other machines in the workplace network, but the NAS itself doesn't have internet access anymore, as any http request is redirected to its own webserver, rather than the internet. If I remove the port forward the connectivity comes back, but of course I cannot access the webserver anymore. This is my current firewalld configuration: https://pastebin.com/2CmkNxSB (notice that wlan0 is inside the public zone, while eth0 is inside the trusted zone; in this configuration ports 80 and 443 are not forwarded, but when it's in place the forward would go together with all the others in the public zone)
I know that an easy solution would be to move the webserver to a different port, but I really want to keep it on port 80 to make things easy for the users. I've read this bug report that looks like the issue I'm having, but it also looks like it's been solved already (although the version installed on the system is 0.6.3, so I'm not entirely sure about that). I would like to know if this is a bug in the program, or if I've just been dumb with my configuration. I've also tried to update firewalld to version 0.8.3 from the debian testing repos, but although the install succeeds after installing all the right dependencies, the service won't start.
Thanks in advance for any help provided.