Categories
SysOps

How to forward port using Dynamic Firewall Manager

Forward port (IPv4 only) using Dynamic Firewall Manager.

Let’s assume that we want to forward port on external interface to an address inside internal network.

$ sudo firewall-cmd --get-active-zones 
external
  interfaces: eth0
internal
  interfaces: eth1

Forward forward port 8080 on external interface to 172.16.0.2 address inside internal network.

$ sudo firewall-cmd --zone=external --add-forward-port=port=8080:proto=tcp:toport=80:toaddr=172.16.0.2
success

List forwarded port in external zone.

$ sudo firewall-cmd --list-forward-ports --zone=external 
port=8080:proto=tcp:toport=80:toaddr=172.16.0.2

Verify that port forward is working as expected.

$ curl -I http://external:8080
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Sat, 06 Nov 2021 16:23:34 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Sat, 06 Nov 2021 15:53:32 GMT
Connection: keep-alive
ETag: "6186a4fc-264"
Accept-Ranges: bytes

Make configuration permanent.

$ sudo firewall-cmd --runtime-to-permanent
success

Remove this specific forwarded port.

$ sudo firewall-cmd --zone=external --remove-forward-port=port=8080:proto=tcp:toport=80:toaddr=172.16.0.2
success

Make configuration permanent.

$ sudo firewall-cmd --runtime-to-permanent
success

You can also forward port temporarily. Use s (seconds), m (minutes), or h (hours) as a time period unit.

$ sudo firewall-cmd --zone=external --add-forward-port=port=8080:proto=tcp:toport=80:toaddr=172.16.0.2 --timeout=10m
success

It will be handled properly, even when you make configuration permanent in the meantime.

Additional notes

Use a rich language rule if you need to specify client destination address.

$ sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" destination address="172.16.1.1" forward-port port="80" protocol="tcp" to-port="80" to-addr="172.16.0.2"' 
success
$ sudo firewall-cmd --list-rich-rules --zone=public
rule family="ipv4" destination address="172.16.1.1" forward-port port="80" protocol="tcp" to-port="80" to-addr="172.16.0.2"

Make configuration permanent if required.