Firewalld block http traffic even if activated

Question

I'm trying to configure a simple test environment with 3 machines :

• One Kali to simulate internet : IP = 10.99.0.2
• One CentOS that acts as a firewall using firewalld : IPs = 10.99.0.1, 10.4.1.1
• One CentOS that acts as a web server using httpd : IP = 10.4.1.2

A small representation of the environment:

|Kali|------------------(ens160) |Firewalld| (ens192)------------------- |Web Server|
10.99.0.2                    10.99.0.1 | 10.4.1.1                             10.4.1.2

I can ping 10.4.1.2 from 10.99.0.2 but, only when firewalld is activated, I can't get the default web page on 10.4.1.2 from 10.99.0.2.

I tried to do a tcpdump on the FW, I can see the http request going from kali to firewalld but then firewalld respond with an ICMP packet : ICMP host 10.4.1.2 unreachable - admin prohibited. As I could understand, this icmp message is sent from the FW if the request is blocked.

Here is the configuration of the two zones : public and dmz

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160
  sources:
  services: http https
  ports: 443/tcp 80/tcp
  protocols:
  masquerade: yes
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:
        rule service name="https" log level="info"
        rule service name="http" log level="info"

dmz (active)
  target: default
  icmp-block-inversion: no
  interfaces:
  sources: 10.4.1.2
  services: http https
  ports:
  protocols:
  masquerade: no
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:

(The 2 rich rules were attempt to log the blocked connection on firewall)

Answer 1

You think about firewalld too simple. It is blocking your access from Kali to the webserver because you are not allowing anything to go to it. For example, you haven't add your ens192 NIC to any of the zones. Here is what I would have done if I were you:

Firstly put your ens160 interface to the zone called external. Public is misleading in my opinion. From the webservers point of view, Kali is an external network. If your firewall has no other purpose than forward the incoming traffic from Kali to Webserver, then just put the interface to external. Make sure you allow only services HTTP, HTTPS and SSH on external. Also masquerade needs to be enabled.

Secondly you have to set up the internal interface. DMZ is used if you have another network managed by your firewall where you don't want guests or others to enter. Like our guest WiFi, that is served in the DMZ firewall zone. For your setup I would put it into internal or trusted. For maximal security delete every service and add again only SSH, HTTP and HTTPS. Also it is very important to add masquerade: yes again.

Third step will be to forward every HTTP and HTTPS traffic to your webserver. You have 2 chances here.

• The less professional is to forward every incoming traffic from your external interfaces 80th port to the internals 80th port. This would make your firewall pretty much meaningless.
• The other is to set up a proxy forwarding server on it. That way it would be more professional and secure. Just simply install NginX (webserver) and set up your config file to forward all incoming traffic to your webservers IP address.

Please keep in mind, having a firewall server between Kali and Webserver, you will never-ever be able to ping from Kali to Webserver, simply cause ping won't be allowed to go over the firewall. This is a normal behaviour and you shouldn't change it.

Here are the commands you might need:

• firewall-cmd --zone=external --change-interface=ens160
• firewall-cmd --zone=external --add-service=http
• firewall-cmd --zone=external --add-service=https
• firewall-cmd --zone=external --add-service=ssh
• firewall-cmd --zone=external --add-masquerade
• firewall-cmd --zone=trusted --change-interface=ens192
• firewall-cmd --zone=trusted --add-service=http
• firewall-cmd --zone=trusted --add-service=https
• firewall-cmd --zone=trusted --add-service=ssh
• firewall-cmd --zone=trusted --add-masquerade
• firewall-cmd --runtime-to-permanent

If you decide to install NginX, just do the following:

• mkdir /etc/nginx/sites-available /etc/nginx/sites-enabled
• vim /etc/nginx/sites-available/com.website.your.conf

server {
  server_name your.website.com;
  listen 80;

  location / {
      proxy_pass      http://10.4.1.2$request_uri;
      proxy_set_header    Host $host;
  }
}

• ln -s /etc/nginx/sites-available/com.website.your.conf /etc/nginx/sites-enabled

• vim /etc/nginx/nginx.conf

  #include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*.conf;

• systemctl restart nginx

I think this should be working for you. If not, report back in a comment and I'll help you. This is only what just popped out of my head about your question.