Port forwarding TPC traffic to another server with firewalld

During the first covid lockdown and while working from home, I had a requirement to access a web application running from a data centre to which I didn’t have direct access.

In the diagram below, the web application runs on the server marked by a green square. So let’s call this the target server.

I had access to our AWS servers via a bastion host, which had network access to the target server via a direct connect link.

This article demonstrates how I used firewalld to port forward traffic to the target server. In addition, it illustrates how I used an SSH tunnel to get traffic from my development machine to the server with firewalld installed. This SSH tunnel is depicted in the diagram by the red arrows.

Then we’ll look at the firewalld configuration, which forwards the traffic to the target server—depicted on the diagram with the blue lines.

The result being I was able to access the web service from my development machine using a local address of 127.0.0.1

Let’s assume the IP address of the bastion server is 3.8.8.8, and the IP address of the server running firewalld is 10.10.10.001. The command below creates an SSH tunnel mapping the local port 8443 on my development machine to the 8443 port on the firewalld server.

ssh -L 8443:10.10.10.001:8443 3.8.8.8 -l ec2-user -N

↑Installing firewalld

Depending on your Linux distribution, the installation of firewalld should be relativity easy using either apt-get or yum. You’ll need to elevate your privileges to root to install the service. Once installed, you’ll need to start the firewalld service and permanently add port 22 for SSH access and the port you want to reflect onto another server. In this case, port 8443.

systemctl start firewalld
firewall-cmd --zone=public --add-port=22/tcp --permanent
firewall-cmd --zone=public --add-port=8443/tcp --permanent

To allow the IP forwarding to work, you need to switch on IP masquerading by issuing the following command.

firewall-cmd --zone=public --add-masquerade

↑Forwarding the port traffic

Finally, we can add the rule to port forward traffic from the firewalld server to the target server’s final destination. In this example, the target servers IP address is 10.11.10.163

In this example, we’re mapping port 8443 directly to port 8443, but you could direct/forward the traffic to a different target port if you needed to.

firewall-cmd
   --zone=public 
   --add-forward-port=port=8443:proto=tcp:toport=8443:toaddr=10.11.10.163

↑Stopping firewalld

To stop the firewall from forwarding the traffic, use the system control command to stop it.

systemctl stop firewalld

↑Versions

• 15.02.2023 – slight rewrite of document. Added link to firewalld’s project page.
• 11.10.2020 – initial document created.