Unable to port forward between zones

I have a PC running Fedora 33 as a firewall/router. I have a public zone (internet facing, IP address like 68.132.0.x/24) and a home zone (internal/private IP address like 192.168.0.x/24). I set port forwarding to forward port 80 on the public zone to port 80 on the home zone. My zone configuration looks like so:

public (active)

target: DROP
icmp-block-inversion: no
interfaces: enp2s0
sources:
services: http
ports:
protocols:
masquerade: yes
forward-ports:
port=80:proto=tcp:toport=80:toaddr=192.168.0.254
source-ports:
icmp-blocks:
rich rules:

home (active)

target: default
icmp-block-inversion: no
interfaces: enp3s0
sources:
services: dhcp dhcpv6-client dns http mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

I have Apache httpd running on the internal network at IP 192.168.0.254, where Apache is hosting a page of static content. No matter what I try, the public zone is not forwarding traffic to the home zone on port 80. I can do a curl http://192.168.0.254 on the public zone machine and the static web page on 192.168.0.254 is returned, so I know that 192.168.0.254 is serving up the content properly and the firewall on that machine is allowing port 80 access.

I also tried doing the port foward as a direct rule, via fire --direct --add-rule ipv4 filter FORWARD 0 -i enp2s0 -o enp3s0 -p tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT, but still no joy. The entire network is working properly, where NAT is working just fine and all clients can resolve external hosts and surf the web and such. Is there some config bit I’m missing?

Thanks.

Test the port from outside while monitoring the output:

sudo tcpdump -evni any tcp port 80

You shouldn’t need extra rules since port forwards match DNAT state which is allowed by default.

I did a remote port scan and it shows port 80 open on the firewall, but I get a connection refused when trying to access the Apache static page.

The port forward is actually working just fine. I was testing the static web content via my phone and I forgot to turn off Wifi… /facepalm

1 Like