Home / server / Questions / 864697
In Process
Yu Watanabe
Asked: 2017-07-24 03:31:15 +0800 CST

How to port forward on firewalld to port listening on localhost?

  • 772

I would like to ask question regarding to forward-port rule for firewalld.

OS I am using is ,

CentOS Linux release 7.3.1611 (Core)

My Goal

Forward requests to httpd listening on 127.0.0.1:80

[root@development /]# netstat -atunp | grep httpd
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN      2601/httpd

Problem

I have set firewalld rule as below.

[root@development /]# firewall-cmd --list-all --zone=external
external (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" forward-port port="8080" protocol="tcp" to-port="80"

However, if I send request from external host, firewalld rejects request to port 8080.

In this case,

192.168.11.2 (client) -------> 192.168.11.13 (8080)

[root@dellinspiron13z asset]# curl -XGET 192.168.11.13:8080
curl: (7) Failed to connect to 192.168.11.13 port 8080: Connection refused

If the process is running as 0.0.0.0:80 , it works perfectly.

Is there anyway to redirect requests to localhost port?

linux-networking

2 Answers

  1. This is how it is done:

    firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 0 -p tcp -o lo --dport 8080 -j REDIRECT --to-ports 80

    • 3

  2. You have to change route_localnet in sysctl on interface with address 92.168.11.13 or for 'all' if you lazy

    In lucky coincidence I have fresh CentOS with same version, so by default this knob is disabled

    [root@tesla ~]# cat /etc/centos-release
CentOS Linux release 7.3.1611 (Core) 
[root@tesla ~]# sysctl -a | grep route_localnet
net.ipv4.conf.all.route_localnet = 0
net.ipv4.conf.default.route_localnet = 0
net.ipv4.conf.enp0s5.route_localnet = 0
net.ipv4.conf.lo.route_localnet = 0
    • 1