Forward port (IPv4 only) using Dynamic Firewall Manager.
Let’s assume that we want to forward port on external interface to an address inside internal network.
$ sudo firewall-cmd --get-active-zones
external interfaces: eth0 internal interfaces: eth1
Forward forward port 8080 on external interface to 172.16.0.2 address inside internal network.
$ sudo firewall-cmd --zone=external --add-forward-port=port=8080:proto=tcp:toport=80:toaddr=172.16.0.2
success
List forwarded port in external zone.
$ sudo firewall-cmd --list-forward-ports --zone=external
port=8080:proto=tcp:toport=80:toaddr=172.16.0.2
Verify that port forward is working as expected.
$ curl -I http://external:8080
HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 06 Nov 2021 16:23:34 GMT Content-Type: text/html Content-Length: 612 Last-Modified: Sat, 06 Nov 2021 15:53:32 GMT Connection: keep-alive ETag: "6186a4fc-264" Accept-Ranges: bytes
Make configuration permanent.
$ sudo firewall-cmd --runtime-to-permanent
success
Remove this specific forwarded port.
$ sudo firewall-cmd --zone=external --remove-forward-port=port=8080:proto=tcp:toport=80:toaddr=172.16.0.2
success
Make configuration permanent.
$ sudo firewall-cmd --runtime-to-permanent
success
You can also forward port temporarily. Use s (seconds), m (minutes), or h (hours) as a time period unit.
$ sudo firewall-cmd --zone=external --add-forward-port=port=8080:proto=tcp:toport=80:toaddr=172.16.0.2 --timeout=10m
success
It will be handled properly, even when you make configuration permanent in the meantime.
Additional notes
Use a rich language rule if you need to specify client destination address.
$ sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" destination address="172.16.1.1" forward-port port="80" protocol="tcp" to-port="80" to-addr="172.16.0.2"'
success
$ sudo firewall-cmd --list-rich-rules --zone=public
rule family="ipv4" destination address="172.16.1.1" forward-port port="80" protocol="tcp" to-port="80" to-addr="172.16.0.2"
Make configuration permanent if required.