Linux Firewalld Port-Forward and NAT

In computer networking, port forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall. This technique is most commonly used to make services on a host residing on a protected or masqueraded (internal) network available to hosts on the opposite side of the gateway (external network), by remapping the destination IP address and port number of the communication to an internal host.

Port-Forwarding is what we use to translate a specific port number to our service listening port number, we may forward traffic to another port on the same machine or to a machine on local network ( used with NAT ) .

NAT is what we use to allow private IP rang to access network using public IP , or to hide local network behind our firewall .

To continue with this, please read about Firewall and Zones .

01. NAT :

To configure NAT you need to set interfaces to required zones , and set Masquerade on the zone that will hide the others behind ( the zone or interface that faces the Internet , OR the zone that hold the interface with public IP ).

To Configure NAT using firewalld , For Example:
our machine have tow interfaces eth0 , eth1 .
eth0 will be the external interface and eth1 is connected to internal network , we need internal network to be able to use external eth1 as gateway to reach Internet.

Set interfaces to corresponding Zones:

[root@a ~]# firewall-cmd --permanent --zone=internal --add-interface=eth1
The interface is under control of NetworkManager, setting zone to 'internal'.
success
[root@a ~]# firewall-cmd --permanent --zone=external --add-interface=eth0
The interface is under control of NetworkManager, setting zone to 'external'.
success
[root@a ~]# firewall-cmd --reload 
success

To make sure that interfaces has assigned to zones:

[root@a ~]# firewall-cmd --list-all --zone=external 
external (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 
    
[root@a ~]# firewall-cmd --list-all --zone=internal 
internal (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth1
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules:

Good till now , Let’s add NAT ( the zone that faces Internet  or what we will hide others behind is external zone on interface eth0 ).

*Masquerading will enable ip_forward automatically

[root@a ~]# cat /proc/sys/net/ipv4/ip_forward
0
[root@a ~]# firewall-cmd --permanent --zone=external --add-masquerade 
Warning: ALREADY_ENABLED: masquerade
success
[root@a ~]# firewall-cmd --reload 
success
[root@a ~]# cat /proc/sys/net/ipv4/ip_forward
1
[root@a ~]#

Now test it from an internal client that uses your internal interfaces as its gateway , it should be able to access outsides.

02. Port-Forwarding :

You can forward traffics that comes to specific port to another port that service listen on in the same machine ,
OR to a different machine with same or different port number ( in this case, NAT is a pre request ).

• You must specify the zone that faces Internet if it is not the default zone.

To forward traffic that comes to port 80 , but our service is listening on port 8080 , we can forward it like that :

[root@a ~]# firewall-cmd --permanent --zone=external --add-forward-port=port=80:proto=tcp:toport=8080
success
[root@a ~]# firewall-cmd --reload 
success
[root@a ~]# firewall-cmd --zone=external --list-all 
external (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: dns ssh
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: port=80:proto=tcp:toport=8080:toaddr=
  sourceports: 
  icmp-blocks: 
  rich rules: 
    
[root@a ~]#

Nice , let’s analyze this portion of command: –add-forward-port=port=80:proto=tcp:toport=8080

port=80  is the port that traffic will come in to it.
proto=tcp  means protocol is tcp or udp .
toport=8080  means the port that we will forward to , which the service is listening on (like apache web server , mysql , ..)

toaddr=10.1.1.10 means the IP address of the host that has the service running and we will forward traffic to it, not to local machine as the Gateway.

Values are separated by ” : “

To forward traffic to a different internal machine ( after configuring NAT )

[root@a ~]# firewall-cmd --permanent --zone=external --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=10.1.1.10
success
[root@a ~]# firewall-cmd --reload 
success
[root@a ~]# firewall-cmd --zone=external --list-all 
external (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: dns ssh
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: port=80:proto=tcp:toport=8080:toaddr=10.1.1.10
  sourceports: 
  icmp-blocks: 
  rich rules: 
    
[root@a ~]#

To remove a port-forward rule :

[root@a ~]# firewall-cmd --permanent --zone=external --remove-forward-port=port=80:proto=tcp:toport=8080:toaddr=10.1.1.10
success
[root@a ~]# firewall-cmd --reload 
success
[root@a ~]# firewall-cmd --zone=external --list-all 
external (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: dns ssh
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 
    
[root@a ~]#

Now the rule is gone away !

That was NAT and Port-Forwarding , if need more about Firewall read this , and for Zones and services read this .

I hope it was easy , thanks for joining me.
Enjoy !.