How to port forward only on a single host IP address

Aunt Jemima asked:

Short question:

How do you enable port forwarding on only a single host ip address?

Backstory:

My Centos 7 server has 5 ip addresses. Previously I had apache listening on all of them and various domains assigned to those ip addresses which were resolved with virtual hosts.

I changed the Listen directive in httpd.conf so that now apache only listens to 4 of the ip addresses

Using node.js I created another server instance, but it won’t let me listen on the standard port 80 without elevated permissions. I don’t want to run it with elevated permissions.

I’d like to port forward port 80 to something like 8080, but only on the one ip address without affecting traffic directed at the other 4 ip addresses. It’s important that traffic on other ip addresses are not affected by the rule.

I think the solution will look similar to:

firewall-cmd --zone=public --add-masquerade --permanent
firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=8080 --permanent

The other questions and answers I’ve found have to do with source ip addresses instead of host ip addresses.

My answer:


A firewalld zone can be specified either by interface or by source address, but you want to filter by destination address. You’ll need a rich rule to handle this particular situation.

Such a rich rule may look like:

firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" destination address="198.51.100.237" forward-port port="80" protocol="tcp" to-port="8080"'

See the firewalld.richlanguage(5) man page for documentation on rich rules.

Once your rich rule is working, remember to make it permanent with

firewall-cmd --runtime-to-permanent

or adding --permanent to the previous invocation.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.