4

I run ssh on port 5678.

For my source IP address 1.2.3.4 - I want to connect on port 22 and have firewalld port forward to 5687.

No other source IP addresses get port forwarding.

What firewall-cmd line would I type to achieve this ?

matiu
  • 224
  • 1
  • 2
  • 8
  • 1
    Possible duplicate of [How to open port for a specific IP address with firewall-cmd on CentOS?](http://serverfault.com/questions/684602/how-to-open-port-for-a-specific-ip-address-with-firewall-cmd-on-centos) – user5870571 Feb 14 '16 at 16:55
  • 1
    not a dup. That one wishes to merely open the port. I wish to port forward traffic from port 22 to port 5687 – matiu Feb 14 '16 at 16:56

2 Answers2

4

You just create a firewalld rule to allow the traffic and then you configure NAT for the traffic. Essentially you are creating an ACL to determine what traffic is allowed in and then are you making a NAT rule to say that the allowed traffic should be translated.

firewall-cmd --permanent --zone=public --add-rich-rule="rule 
family="ipv4" \
source address="1.2.3.4/32" \
port protocol="tcp" port="22" accept"
firewall-cmd --permanent --zone=public --add-forward-port=port=22:proto=tcp:toport=5678:toaddr=*private translated IP address*
firewall-cmd --reload

How to open port for a specific IP address with firewall-cmd on CentOS?

http://www.certdepot.net/rhel7-get-started-firewalld/

Community
  • 1
user5870571
  • 2,900
  • 2
  • 11
  • 33
  • Thanks for the answer @user5870571 - however it didn't work. The port forwarding worked for all IPs (not just mine). – matiu Feb 14 '16 at 17:53
  • I apologize I really thought that would work. I am going to ask a question here about why my solution did not work. Maybe someone can explain that for both of us! – user5870571 Feb 14 '16 at 20:13
  • I made a stupid typo. If you have extra time, would you mind trying my solution again (with the updated commands)? At this point I would like to verify if my answer works when written without the original mistake. – user5870571 Feb 14 '16 at 20:25
  • I did'nt copy the mistake (external instead of public) I used public all the way. – matiu Feb 15 '16 at 07:57
  • Sorry I wasn't able to test it properly. I've had a broken installation for several hours. It may work :) – matiu Feb 15 '16 at 09:39
3

Figured it out:

CUSTOMPORT=$(netstat -tlpn | grep 0.0.0.0.*ssh | cut -d: -f2 | cut -f1 -d\ )
SOURCE_IP=1.2.3.4
firewall-cmd --zone=public --permanent --query-masquerade
firewall-cmd --zone=public --permanent --add-masquerade
firewall-cmd --zone=public --permanent --add-rich-rule="rule family=\"ipv4\" source address=\"${SOURCE_IP}\" forward-port port=\"22\" protocol=\"tcp\" to-port=\"${CUSTOMPORT}\""
firewall-cmd --reload
matiu
  • 224
  • 1
  • 2
  • 8