How to forward port 80 to another port on the same machine permanently on CentOS 7?

Question

I tried this, but it's only a partial answer or not right for CentOS7. https://serverfault.com/a/320624/439512

I did exactly what it says but it's not right.

$ sudo iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
$ sudo iptables -A INPUT -i eth0 -p tcp --dport 8080 -j ACCEPT
$ sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

$ curl localhost
  curl: (7) Failed connect to localhost:80; Connection refused
$ curl localhost:8080
  <html>...</html>
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:webcache

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination     

These two commands will work termporarily but not after restart:

sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080

If you try to save it like this guy says it'll completly break and it won't even work temperarily:

$ sudo systemctl enable iptables
$ sudo service iptables save
$ sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
$ sudo iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080
$ sudo service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

Does anyone have a working example on how to do this?

Answer 1

Use the following command and post the error if you have any trouble.

Make sure the post is allowed and open by iptables and then:

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080 --permanent

sudo firewall-cmd --zone=public --add-port=80/tcp --permanent

sudo firewall-cmd --reload

Answer 2

It's not recognizing --permanent. Without it the command finishes but doesn't work.

"--permanent" is for firewalld not for iptables.Its typo error.

Kindly list the error after executing the following cmd. It worked for me

Open file : vim /etc/sysconfig/iptables

Add below lines

-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT

-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 8080 -j ACCEPT

COMMIT

*nat

-A PREROUTING -p tcp --dport 8080 -j REDIRECT --to-ports 80

COMMIT

After adding the line save it and restart the service

iptables-save

systemctl restart iptables ->REHL 7

service restart iptables ->RHEL 6

Check the traffic using the below cmd

iptables -t nat -L -n

ss -tulnp

Notes: Scenarios as follows 1.(Network A or Machine A ) --8080--> INTERNAL -80-> (Network B or Machine B)

2.(Network B or Machine B ) <--8080-- INTERNAL <-80- (Network A or Machine A)

Try to troubleshooting from outside using url,because rules in iptables already added by you may conflict and it is a very complicated program in comparison to modern firewall applications.

Answer 3

Use the following command on CentOS 7 :

# firewall-cmd --permanent --zone=<zone-name> --add-forward-port=port=80:proto=tcp:toport=443:toaddr=<ip-address>

# firewall-cmd --reload

Change your zone, port and ip-address accordingly.