I'm trying to replace an existing tunnel with firewall rules:
firewall-cmd --zone=public --add-forward-port=port=9999:proto=tcp:toport=9999:toaddr=100.1.1.1
This should forward all incoming TCP connections to 100.1.1.1
The problem is that it does not work (the port stays closed). I'm trying to understand what I'm doing wrong, and the only thing I can think of is that the destination IP address is on a different NIC and is created by Tailscale (similar to a Wireguard VPN), so it is kind of a virtual IP.
So are there restrictions to which IP's you can forward? And is there a way to circumvent them?
external (active)
target: default
icmp-block-inversion: no
interfaces: tailscale0
sources:
services: ssh
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: dhcpv6-client ssh
ports: 9999/tcp
protocols:
forward: yes
masquerade: no
forward-ports:
port=9999:proto=tcp:toport=9999:toaddr=100.1.1.1
source-ports:
icmp-blocks:
rich rules