3

I'm not very familiar with network stuff and I have difficulties to understand hay firewalld works.

I'm developping a REST service, actually listening on port 8080, and I want to be able to send requests on port 80 that would be redirected to 8080.

To do that on CentOS 6, I used iptables and such a rule:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

I migrated on CentOS 7, and even iptables still exists and still works, the fact that firewalld is the default firewall software makes me thinking I should start to use that software... The fact is I can't understand how it works, and how to convert my single iptables rule into a firewalld one. I know that firewalld "understand" iptables rules (in fact, I'm using this rule with firewalld to keep on working), but I want to know how to do, and I would like to make this rule permanent, too.

Thanks

Cheloute
  • 133
  • 1
  • 4

2 Answers2

3

Use --add-forward-port to set up a port forwarding.

From the firewall-cmd man page:

       --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
       [--timeout=timeval]
           Add the IPv4 forward port for zone. If zone is omitted, default
           zone will be used. This option can be specified multiple times. If
           a timeout is supplied, the rule will be active for the specified
           amount of time and will be removed automatically afterwards.
           timeval is either a number (of seconds) or number followed by one
           of characters s (seconds), m (minutes), h (hours), for example 20m
           or 1h.

           The port can either be a single port number portid or a port range
           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
           The destination address is a simple IP address.

So you would do something like:

firewall-cmd --zone=whatever --add-forward-port=port=80:proto=tcp:toport=8080

And if it does what you want, make it permanent.

LinuxLugo
  • 3
  • 2
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
0

iptables is the default firewall tool and you can find it installed under all linux versions. firewalld is a convenient tool so the user can interact with "iptables rules" without knowing that. It is seems very simple using firewall-cmd ... commands as you can pick-up predefined zones and services (which are automatically translated to specific ports) on the fly. You can reload the firewalld.service without rebooting or any inconvenience.

You can still use iptables on CentOS7 but you have to disable firewalld (and mask it even better):

systemctl stop firewalld
systemctl disable firewalld
systemctl mask firewalld

Install iptables-services and iptables-utils: 

yum install -y iptables-services iptables-utils

Now you are ready to use iptables on CentOS7

If you need to save your configuration to survive reboot:

iptables-save >/etc/sysconfig/iptables

and if you want to change the sequense of your iptables rules you can edit their file (for example /your_file) and then:

iptables-restore </your_file

and the rules will be restored.

hope that helps you

ikoustou
  • 1