1

I've been trying to find a way to forward traffic from a specific ip, eg 10.17.1.3 on port 514 to port 5514 with firewalld on CentOS

This works:

  <masquerade/>
  <forward-port to-port="5514" protocol="udp" port="514"/>
  <forward-port to-port="5514" protocol="tcp" port="514"/>

Doesn't work:

  <masquerade/>
  <rule family="ipv4">
    <source address="10.17.1.3"/>
    <forward-port to-port="5514" protocol="udp" port="514"/>
  </rule>

Which was addded with: 

sudo firewall-cmd --permanent --zone=public --add-rich-rule="rule family='ipv4' source address='10.17.1.3' forward-port protocol='udp' port='514' to-port=5514"

Is there any way to achieve port forwarding only for a specific source ip with firewalld?

willemdh
  • 245
  • 4
  • 14

1 Answers1

1

As always, when selecting traffic by source address, you should avoid using rich rules to select by source address, and instead create a new firewalld zone which matches traffic from the relevant source addresses.

For example:

firewall-cmd --new-zone=syslogsources --permanent
firewall-cmd --reload
firewall-cmd --zone=syslogsources --add-source=10.17.1.3
firewall-cmd --zone=syslogsources --add-forward-port=port=514:proto=udp:toport=5514

And after you have confirmed it works, save it:

firewall-cmd --runtime-to-permanent
Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • sudo firewall-cmd --new-zone=syslogsb usage: see firewall-cmd man page => Option can be used only with --permanent. sudo firewall-cmd --new-zone=syslogsbc --permanent => success sudo firewall-cmd --zone=syslogsbc --add-source=10.17.1.3 => Error: INVALID_ZONE: syslogsbc – willemdh Jan 28 '19 at 17:04
  • @willemdh Yes, you need to add `--permanent` when making the zone. You also need to reload the firewall before adding rules to the zone. See the edited answer. – Michael Hampton Jan 28 '19 at 17:11