On Tue, Apr 28, 2020 at 12:22:33PM -0000, Peter Hoogendijk wrote:
For several days I've been searching for the correct way to
implement port forwarding based on the IP address of the interface (one interface with two
addresses: 172.16.1.15 and 172.16.1.16). With iptables I would use the following rules to
forward traffic to two different web server implementations:
iptables -A PREROUTING -t nat -p tcp --dst 172.16.1.15 --dport 443 -j REDIRECT --to-port
8015
iptables -A PREROUTING -t nat -p tcp --dst 172.16.1.16 --dport 443 -j REDIRECT --to-port
8016
What would be the right way to translate this iptables situation into
a firewalld configuration? In the documentation about port forwarding
there is no way to specify "--dst". The documentation about services
shows a way to specify this as "destination" but no way to specify
port forwarding. So after searching for several days I decided the I'm
now past the RTFM phase :-).
Use a rich rule.
firewall-cmd --zone <zone> --add-rich-rule='rule family=ipv4 destination
address=172.16.1.15 forward-port port=443 protocol=tcp to-port=8015'
firewall-cmd --zone <zone> --add-rich-rule='rule family=ipv4 destination
address=172.16.1.16 forward-port port=443 protocol=tcp to-port=8016'
Hope that helps.
Eric.