Firewalld port forwarding

Hi,

I’m having troubles setting up port forwarding from host to virtual machines.

First I tried to setup forwarding from host fedora workstation 31 to virtual fedora server 31 for cockpit web interface.

firewall-cmd --add-forward-port=port=9090:proto=tcp:toaddr=192.168.122.151
firewall-cmd --add-masquerade

From my understanding, if I now try to access localhost:9090 from my web browser it should load 192.168.122.151:9090, but it doesn’t. I’m not sure what I’m missing here.
If I try to load 192.168.122.151:9090 directly, it does work.

I also tried local port forwarding, just to test.

firewall-cmd --add-forward-port=port=6631:proto=tcp:toport=631

Now CUPS should by accessible with localhost:6631, but that doesn’t work. So I think the problem isn’t with the virtual machines but I’m missing something with the firewalld setup.

I also tried to copy everything to permanent and reload the firewall, but there was no change.

Here’s output of firewall-cmd --list-all.

[phalkon@aerie-localdomain ~]$ sudo firewall-cmd --list-all 
FedoraWorkstation (active)
  target: default
  icmp-block-inversion: no
  interfaces: wlp2s0
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 1025-65535/udp 1025-65535/tcp
  protocols: 
  masquerade: yes
  forward-ports: port=9090:proto=tcp:toport=:toaddr=192.168.122.151
	port=6631:proto=tcp:toport=631:toaddr=
  source-ports: 
  icmp-blocks: 
  rich rules: 

Virtual machine NIC is behind virtual network, so there’s NAT going on. I could just setup passthrough on NIC, but that’s not really what I want to do. I want everything to go to the host except certain ports which I’m looking to redirect to the virtual machines.

1 Like

1-Run this commands (temporary change) .

sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1

2-If it works and you want to confirmation the changes add this lines to /etc/sysctl.conf

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

3-run this .

sysctl -p

4-Maybe it is a problem from selinux ,try set it to Permissive mode (temporary change) .

sudo setenforce 0

(google translate)

1 Like

Thank you, but there’s no change.