2

I'm learning about iptables, firewalling, routing and so on. I'm on Linux, Centos7, and I've set up a local port forwarding to localhost with:

firewall-cmd --add-forward-port=port=2023:proto=tcp:toport=22

It is working as expected, trying from another machine. Locally, is not visible. I've tried with netstat and ss, nmap lsof and nc. Nothing, all of them "sees" everything except the 2023, even if it is currently forwarding an ssh session. After much reading, here on stackexchange I found a way to make it visible locally, (from iptables: redirect local request with NAT), but actually that is not a solution, it just made me understand why is not visible from local, but I really would like to know if exists a way to check it locally.. Or the only option is the remote connection?

Thank you :)

Edit: The set up of the test machine is easy, just execute the firewall-cmd line I wrote in this question. No other rules added. Then test it with ssh (ore nmap) from outside: works. Check it from localhost itself: both ssh and nmap gives connection refused.

Edit2: Sorry, I wrote the firewall-cmd line incorrectly with a :toaddr=127.0.0.1 at the end, fixed.

Community
  • 1
nnsense
  • 389
  • 3
  • 11
  • Can you show us the actual iptables rules that this command has set up? `iptables -t filter -L -n`, `iptables -t nat -L -n`, `iptables -t mangle -L -n` – Josip Rodin Jun 23 '15 at 09:21
  • ...the objective being to see if it edited the `OUTPUT` chains. – Josip Rodin Jun 23 '15 at 09:22
  • I've put an answer but was from the wrong pc ;) This are the right results: [iptables -t filter -L -n](http://pastebin.com/hsvDPnTJ), [iptables -t nat -L -n](http://pastebin.com/Rw7ebnnu), [iptables -t mangle -L -n](http://pastebin.com/a9Q6WqWF). – nnsense Jun 23 '15 at 13:49
  • Looks like it didn't, yet there's an intricate layout for other things. Have you consulted a manual for this `firewall-cmd`, does it have a provision for editing OUTPUT, whether through another switch or manually in the right place (where it won't override it)? – Josip Rodin Jun 23 '15 at 18:48

1 Answers1

0

On the local machine use the IP of the interface in your test. For example if the IP is 10.10.10.10 

telnet 10.10.10.10 2023
rocky
  • 1,978
  • 11
  • 23
  • Exactly like all the other tools telnet sees 10.10.10.10 as a local address, so it's always a "Connection refused" as with localhost or 127.0.0.1. It makes perfectly sense thinking how netfilter is working. What i'm looking for is probably a tool, or an option of a tool already tried, that actually sees the forwarding as it is checking from outside. Or maybe just give up and accept is impossible to probe from localhost :D – nnsense Jun 23 '15 at 08:21