Using firewalld to NAT/port forward based on source IP?

Issues related to configuring your network
Post Reply
riahc3
Posts: 13
Joined: 2015/04/19 17:10:18

Using firewalld to NAT/port forward based on source IP?

Post by riahc3 » 2021/03/17 14:47:25

Hello

Im looking to NAT/port foward traffic based on source IP.

I thought this was enough:

firewall-cmd --permanent --add-rich-rule="rule family=\"ipv4\" source address=\"192.168.100.221\" forward-port port=\"514\" protocol=\"udp\" to-port=\"9200\""

But it doesnt seem to be working.

Running a traffic capture, I see the traffic arrive on 514 but I cant seem to find a way to see if the NAT/port forward happens.

Thank you

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Using firewalld to NAT/port forward based on source IP?

Post by jlehtone » 2021/03/17 18:50:22

Look at the actual ruleset with:

Code: Select all

sudo iptables -S
sudo iptables -t nat -S
sudo iptables -t mangle -S
Which rules were added due to the rich rule?

We know that there should be a DNAT rule to rewrite port 514/udp as port 9200/udp
There should also be a rule within INPUT to allow traffic to 9200/udp

When the service at 9200/udp does reply, does that above-mentioned DNAT rule automagickally rewrite source port from 9200 into 514 in the reply too?

Post Reply