Forward port 514 to 5514 only from specific source ip with firewalld

willemdh asked:

I’ve been trying to find a way to forward traffic from a specific ip, eg 10.17.1.3 on port 514 to port 5514 with firewalld on CentOS

This works:

  <masquerade/>
  <forward-port to-port="5514" protocol="udp" port="514"/>
  <forward-port to-port="5514" protocol="tcp" port="514"/>

Doesn’t work:

  <masquerade/>
  <rule family="ipv4">
    <source address="10.17.1.3"/>
    <forward-port to-port="5514" protocol="udp" port="514"/>
  </rule>

Which was addded with:

sudo firewall-cmd --permanent --zone=public --add-rich-rule="rule family='ipv4' source address='10.17.1.3' forward-port protocol='udp' port='514' to-port=5514"

Is there any way to achieve port forwarding only for a specific source ip with firewalld?

My answer:


As always, when selecting traffic by source address, you should avoid using rich rules to select by source address, and instead create a new firewalld zone which matches traffic from the relevant source addresses.

For example:

firewall-cmd --new-zone=syslogsources
firewall-cmd --zone=syslogsources --add-source=10.17.1.3
firewall-cmd --zone=syslogsources --add-forward-port=port=514:proto=udp:toport=5514

And after you have confirmed it works, save it:

firewall-cmd --runtime-to-permanent

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.