Firewalld: forward local traffic to remote host

malcolmsk · August 25, 2023, 11:21am

Hello! I’m wanted to configrurated port forwarding on my Fedora 38 KDE.
Use this config:

sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --zone=public --add-masquerade
sudo firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=8443:toaddr=192.168.0.174
sudo firewall-cmd --runtime-to-permanent

I know about FedoraWorkstation zone by default. But i’m check and change few zone, all zones no working. Same config on Alma Linux Server working and forwarding traffic to Debian server. What i’m doing wrong?

vgaetera · August 25, 2023, 1:23pm

Check the output:

sudo firewall-cmd --get-active-zones
sudo firewall-cmd --get-default-zone
sudo firewall-cmd --info-zone=public

malcolmsk · August 25, 2023, 2:04pm

sudo firewall-cmd --get-active-zones:
FedoraWorkstation
interfaces: wlp1s0
sudo firewall-cmd --get-default-zone:
FedoraWorkstation
sudo firewall-cmd --info-zone=public:
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

Because FedoraWorkstation is default zone, i’m setting her. But, i’m configurated public, trusted and other zone early and dont get result. Also i’m set them by default. Right now FedoraWorkstation zone:
FedoraWorkstation (active)
target: default
icmp-block-inversion: no
interfaces: wlp1s0
sources:
services: dhcpv6-client samba-client ssh
ports: 1025-65535/udp 1025-65535/tcp
protocols:
forward: yes
masquerade: yes
forward-ports:
port=80:proto=tcp:toport=8443:toaddr=192.168.0.174
source-ports:
icmp-blocks:
rich rules:

vgaetera · August 26, 2023, 10:15am

Try testing the connection from outside while running tcpdump on Fedora:

sudo tcpdump -evnni any tcp port 80 or tcp port 8443

malcolmsk · August 26, 2023, 3:53pm

I’m reinstalled Fedora Workstation. Dont know, what happened in my system, but all working now. Only localhost or myip:80 in system where firewalld set not working. How can i change this? Checking other treads, but no find solutions for remote forwarding. Is that possible?

vgaetera · August 26, 2023, 4:48pm

It is possible, but not trivial:

sudo tee /etc/sysctl.d/00-custom.conf << EOF > /dev/null
net.ipv4.conf.all.route_localnet = 1
EOF
sudo systemctl restart systemd-sysctl.service
sudo firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 0 \
    -m addrtype --src-type LOCAL --dst-type LOCAL \
    -p tcp --dport 80 -j DNAT --to-destination 192.168.0.174:8443
sudo firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 \
    -m addrtype --src-type LOCAL --dst-type UNICAST -j MASQUERADE
sudo firewall-cmd --reload

linux - iptables redirect local connections to remote system / port - Server Fault

malcolmsk · August 26, 2023, 4:56pm

That’s working! Thank you so much, good luck.