On Sun, Dec 31, 2017 at 06:00:00PM -0000, nitesh sinha wrote:
Hi List,
Hi. Apologies for the late reply. I missed this message somehow.
I have a query regarding firewalld configuration. If this is not the correct place to
ask, please redirect me to the correct place which is.
i am trying to setup Port forwarding from https (443) port to application port (8443).
The application runs on non-standard port i am able to DNAT it to the outside world on
443.
These are the iptable rules that work for me.
#for remote connections
iptables -t nat -A PREROUTING -i eno16777984 -p tcp --dport 443 -j DNAT --to-destination
127.0.0.1:8443
iptables -A FORWARD -i eno16777984 -m state --state NEW -m tcp -p tcp -d 127.0.0.1
--dport 8443 -j ACCEPT
#for localhost connections
iptables -t nat -A OUTPUT -p tcp --dport 443 -d 127.0.0.1 -j DNAT --to-destination
127.0.0.1:8443
Now, with firewalld, i tried the following :
added service (https) to public zone
added port-forwarding : port=443:proto=tcp:toport=8443:toaddr=127.0.0.1
This should work for external access, i.e. other hosts to this host. If
the application does not exclusively bind to localhost, then you can
omit the toaddr part.
But port-forwardig does not work for localhost redirection. For that
you'll need to use the direct rule (OUTPUT chain) you have above.
>
> this did not work, so i tried adding rules using --direct
>
> firewall-cmd --direct --add-rule ipv4 nat PREROUTING 0 -i eno16777984 -d 127.0.0.1 -p
tcp --dport 443 -j DNAT --to-destination 127.0.0.1:8443
> firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eno16777984 -m state
--state NEW -m tcp -p tcp -d 127.0.0.1 --dport 8443 -j ACCEPT
> firewall-cmd --direct --add-rule ipv4 nat OUTPUT 0 -p tcp --dport 443 -d 127.0.0.1 -j
DNAT --to-destination 127.0.0.1:8443
>
> I assume that this will work, since these are exact rules what work with iptables.
>
> Working ->
https://localhost:443
> Not Working ->
https://10.211.213.143:443/ (assuming this is the network ip of
my machine)
>
>
> [root@jmaster ~]# firewall-cmd --direct --get-all-rule
> ipv4 nat OUTPUT 0 -p tcp --dport 443 -d 127.0.0.1 -j DNAT --to-destination
127.0.0.1:8443
> ipv4 nat OUTPUT 0 -p tcp -o lo --dport 443 -j REDIRECT --to-ports 8443
> ipv4 filter FORWARD 0 -i eno16777984 -m state --state NEW -m tcp -p tcp -d 127.0.0.1
--dport 8443 -j ACCEPT
> ipv4 nat PREROUTING 0 -i eno16777984 -p tcp --dport 443 -j DNAT --to-destination
127.0.0.1:8443
>
> What should i do make the service accessible from outside on 443 ?
>
> Thanks in advance.
> Nitesh
> _______________________________________________
> firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
> To unsubscribe send an email to firewalld-users-leave(a)lists.fedorahosted.org