Home / server / Questions / 980681
In Process
Philip Rego
Asked: 2019-08-26 14:48:23 +0800 CST

How to forward port 80 to another port on the same machine permanently on CentOS 7?

  • 772

I tried this, but it's only a partial answer or not right for CentOS7. https://serverfault.com/a/320624/439512

I did exactly what it says but it's not right. 

$ sudo iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
$ sudo iptables -A INPUT -i eth0 -p tcp --dport 8080 -j ACCEPT
$ sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

$ curl localhost
  curl: (7) Failed connect to localhost:80; Connection refused
$ curl localhost:8080
  <html>...</html>
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:webcache

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

These two commands will work termporarily but not after restart:

sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080

If you try to save it like this guy says it'll completly break and it won't even work temperarily: 

$ sudo systemctl enable iptables
$ sudo service iptables save
$ sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
$ sudo iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080
$ sudo service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Does anyone have a working example on how to do this?

iptables

3 Answers

  1. Use the following command and post the error if you have any trouble.

    Make sure the post is allowed and open by iptables and then:

    iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080 --permanent

sudo firewall-cmd --zone=public --add-port=80/tcp --permanent

sudo firewall-cmd --reload
    • 2

  2. It's not recognizing --permanent. Without it the command finishes but doesn't work.

    "--permanent" is for firewalld not for iptables.Its typo error.

    Kindly list the error after executing the following cmd. It worked for me

    Open file : vim /etc/sysconfig/iptables

    Add below lines

    -A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT

    -A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 8080 -j ACCEPT

    COMMIT

    *nat

    -A PREROUTING -p tcp --dport 8080 -j REDIRECT --to-ports 80

    COMMIT

    After adding the line save it and restart the service

    iptables-save

    systemctl restart iptables ->REHL 7

    service restart iptables ->RHEL 6

    Check the traffic using the below cmd

    iptables -t nat -L -n

    ss -tulnp

    Notes: Scenarios as follows 1.(Network A or Machine A ) --8080--> INTERNAL -80-> (Network B or Machine B)

    2.(Network B or Machine B ) <--8080-- INTERNAL <-80- (Network A or Machine A)

    Try to troubleshooting from outside using url,because rules in iptables already added by you may conflict and it is a very complicated program in comparison to modern firewall applications.

    • 1

  3. Use the following command on CentOS 7 :

    # firewall-cmd --permanent --zone=<zone-name> --add-forward-port=port=80:proto=tcp:toport=443:toaddr=<ip-address>

# firewall-cmd --reload

    Change your zone, port and ip-address accordingly.

    • 0