Port forwarding traffic to another server with firewalld

by Paul Bradley

Introduction

During the covid lock down and while working from home, I had a requirement to access a web application running from a data centre that I didn’t have direct access to. In the diagram below it’s marked as a green square. Let’s call this the target server. I did however have access to our AWS servers via a bastion host, which in turn had network access to the target server via a direct connect link.

This article demonstrates how I used firewalld to port forward traffic to the target server. It demonstrates how I used an SSH tunnel to get traffic from my development machine to the server with firewalld installed. The arrows shown in red.

Then we’ll look at the firewalld configuration which forwards the traffic to the target server. Depicted on the diagram with the blue lines.

The result being I was able to access the web service from my development machine using a local address of 127.0.0.1

Let’s assume the IP address of the bastion server is 3.8.8.8 and the IP address of the server running firewalld is 10.10.10.001. The command below creates an SSH tunnel mapping the local port 8443 on my development machine to the 8443 port on the firewalld server.

ssh -L 8443:10.10.10.001:8443 3.8.8.8 -l ec2-user -N

Installing firewalld

Depending on your Linux distribution the installation of firewalld should be relativity easy using either apt-get or yum. You’ll need to elevate your privileges to root to install the service. Once installed you’ll need to start the firewalld service and permanently add port 22 for SSH access and the port you want to reflect onto another server. In this case 8443.

systemctl start firewalld
firewall-cmd --zone=public --add-port=22/tcp --permanent
firewall-cmd --zone=public --add-port=8443/tcp --permanent

To allow the IP forwarding to work, you need to switch on IP masquerading which can be done with the following command.

firewall-cmd --zone=public --add-masquerade

Forwarding the port traffic

Finally, we can add the rule to port forward the traffic from the firewalld server to the final destination, the target server. In this example the target servers IP address is 10.11.10.163

In this example we’re mapping port 8443 directly to port 8443, but you could if you needed to, direct/forward the traffic to a different target port.

firewall-cmd --zone="public" --add-forward-port=port=8443:proto=tcp:toport=8443:toaddr=10.11.10.163

Stopping firewalld

To stop the firewall forwarding the traffic, use the system control command to stop it.

systemctl stop firewalld