Join Log in
Score:0
avatar Server

firewalld port forwarding not working in CentOS 7

jp flag
Laa

In my server I wanted to redirect all request: come from 81 to 8080 port

Because Jenkins service is not allowed listened at 80 port, I follow Jenkins doc Jenkins - Reverse proxy using firewalld.

But not working, below is my step and some system details:

  1. CentOS version = 7.9.2009
[root@xxx ~]# cat /etc/centos-release
CentOS Linux release 7.9.2009 (Core)
  1. I have enabled the port and added port forwarding rule in firewalld: (Already add permanent and reload firewalld)
[root@xxx ~]# firewall-cmd --list-all --zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160 lo
  sources:
  services: dhcpv6-client http ssh
  ports: 80/tcp 443/tcp 81/tcp
  protocols:
  masquerade: yes
  forward-ports: port=81:proto=tcp:toport=8080:toaddr=
  source-ports:
  icmp-blocks:
  rich rules:
  1. check netstat:
[root@xxx ~]# netstat -tulpn | grep LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1090/sshd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1724/master
tcp6       0      0 :::8080                 :::*                    LISTEN      1107/java
tcp6       0      0 :::22                   :::*                    LISTEN      1090/sshd
tcp6       0      0 ::1:25                  :::*                    LISTEN      1724/master

Only 8080/22/25 be listened on.

  1. I try to use nc tool to check port forwarding:
[root@xxx ~]# nc -v 127.0.0.1 8080
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 127.0.0.1:8080.
^C
[root@xxx ~]# nc -v 127.0.0.1 81
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connection refused.

8080 is ok, but 81 forwarding not working.

  1. Some reference said need to set net.ipv4.ip_forward=1. I also set already before:
[root@xxx ~]# sysctl -a |grep "ip_forward"
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_use_pmtu = 0
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
sysctl: reading key "net.ipv6.conf.ens160.stable_secret"
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
  1. Double check my iptables, and I didn't setup iptables:
[root@xxx ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@xxx ~]# systemctl status iptables
Unit iptables.service could not be found.

Any ideas for how to work "port-forwarding" using firewalld? Thanks.

183
0 + 0
jp flag
Laa
Sorry, I modified this, using more accuracy words: port-forwarding on local
0
Reply
Score:0
avatar Server
jp flag
Laa

Finally, I found a solution. And one more thing, netstat can not check port-fowarding.

Need to add direct rule for lo:

[root@xxx ~]$ firewall-cmd --direct --get-all-rules
ipv4 nat OUTPUT 0 -p tcp -o lo --dport 80 -j REDIRECT --to-ports 8080
0 + 0
idrositis avatar
in flag
idrositis
Thanks @Laa for this! I have been stuck with the issue for sometime.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.