Ask Your Question

firewalld as a firewall / router

asked 2015-07-28 09:47:35 -0500

javierwilson gravatar image

I'm a fan of firewalld (using it on f22), very intuitive, very easy to start using it as a router, you have two interfaces on your computer-router, one of them "internal", the other one "external" you enable net.ipv4.ip_forward, and masquerade is already enabled on the external zone, so... that's it.

But then, I want to control which ports I allow forwarding, and I mean the FORWARD table not the "forward-ports" option. Basically I want to control what users behind my router can do, I want to allow them to browse the internet, and check their email: forward ports dns, http, https, pop, pops, imap, imaps from interface/zone internal to interface/zone external.

Using iptables this required two things (eno2 is my internal interface): 1) allow FORWARD por such tcp ports

-A FORWARD -i eno2 -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A FORWARD -i eno2 -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT

2) REJECT all other FORWARD requests

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

Any idea, how to accomplish this using firewalld?

edit retag flag offensive close merge delete

2 Answers

Sort by » oldest newest most voted

answered 2015-07-28 10:22:25 -0500

BRPocock gravatar image

You can add iptables rules directly, if you like. See “Direct Options” in man 1 firewall-cmd

edit flag offensive delete link more


That's definitely one way to do it... However I end up with so many direct rules that I have a feeling I might as well switch back to iptables.

javierwilson gravatar imagejavierwilson ( 2015-07-29 06:32:23 -0500 )edit

not loving the answer but it does seem the only way to get this done using firewalld.

javierwilson gravatar imagejavierwilson ( 2015-08-06 21:35:13 -0500 )edit

answered 2015-07-28 22:43:21 -0500

updated 2015-07-28 22:45:09 -0500

Masquerade does NAT; all the connections are initiated from the inside. To allow forwarding of connections initiated from the outside, firewall-cmd helpfully offers a number of commands. Here's the one to get you started, from man firewall-cmd:

  [--permanent] [--zone=zone] --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]] [--timeout=timeval]
       Add the IPv4 forward port for zone. If zone is omitted, default zone will be used. This option can be specified multiple times. If a timeout is supplied, the rule will be active for the specified amount of time and will be removed automatically afterwards.  timeval is
       either a number (of seconds) or number followed by one of characters s (seconds), m (minutes), h (hours), for example 20m or 1h.

       The port can either be a single port number portid or a port range portid-portid. The protocol can either be tcp or udp. The destination address is a simple IP address.

       The --timeout option is not combinable with the --permanent option.

       For IPv6 forward ports, please use the rich language.

so as an example, you would do:

firewall-cmd  --add-forward-port port=2222:proto=tcp:toport=22:toaddr= --zone external
edit flag offensive delete link more


masquerade works great that's not the problem. and --add-forward-port solves another issue, your example shows how to redirect an incoming connection (on external) from port 2222 to port 22 address That's more like pre-routing REDIRECT than FORWARD. I explained in my question this is not what I need.

javierwilson gravatar imagejavierwilson ( 2015-07-29 06:45:14 -0500 )edit

forward is a prexisting term that has one widely accepted meaning - if you mean something else, you need to use different words to describe it.

randomuser gravatar imagerandomuser ( 2015-08-02 15:14:16 -0500 )edit

that's why i said " the FORWARD table" because that's the name iptables uses for this table. and I also added: not the "forward-ports" option. pleeeease....

javierwilson gravatar imagejavierwilson ( 2015-08-06 21:34:37 -0500 )edit

So, you only want clients inside the NAT to have access on the specified ports, and no masquerading for non-specified ports?

randomuser gravatar imagerandomuser ( 2015-08-07 00:12:34 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools



Asked: 2015-07-28 09:47:35 -0500

Seen: 1,299 times

Last updated: Jul 28 '15