Conversion IPTables rule to Firewalld rule to redirect

Cheloute asked:

I’m not very familiar with network stuff and I have difficulties to understand hay firewalld works.

I’m developping a REST service, actually listening on port 8080, and I want to be able to send requests on port 80 that would be redirected to 8080.

To do that on CentOS 6, I used iptables and such a rule:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

I migrated on CentOS 7, and even iptables still exists and still works, the fact that firewalld is the default firewall software makes me thinking I should start to use that software…
The fact is I can’t understand how it works, and how to convert my single iptables rule into a firewalld one. I know that firewalld “understand” iptables rules (in fact, I’m using this rule with firewalld to keep on working), but I want to know how to do, and I would like to make this rule permanent, too.

Thanks

My answer:


Use --add-forward-port to set up a port forwarding.

From the firewall-cmd man page:

       --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
       [--timeout=timeval]
           Add the IPv4 forward port for zone. If zone is omitted, default
           zone will be used. This option can be specified multiple times. If
           a timeout is supplied, the rule will be active for the specified
           amount of time and will be removed automatically afterwards.
           timeval is either a number (of seconds) or number followed by one
           of characters s (seconds), m (minutes), h (hours), for example 20m
           or 1h.

           The port can either be a single port number portid or a port range
           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
           The destination address is a simple IP address.

So you would do something like:

firewall-cmd ---zone=whatever --add-forward-port=80:proto=tcp:toport=8080

And if it does what you want, make it permanent.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.