RHEL Port Forwarding Using Firewalld

Never underestimate the simplicity of a feature and the complications of a network.

RHEL 7 uses firewalld, which has a very simple syntax for port forwarding across the incoming port of an external interface to a NATed IP on an internal device. No matter what I tried in variations from the base documentation I simply could not get it to work.

In this configuration, note that I have eth0 on NetworkManager external zone with masquerade and eth1 on zone internal.

I even tried using pure iptables through firewalld:

This still did not work. Short of switching my system completely to iptables out of belief that something was wonky in firewalld, I was out of options. I found this particular person with a very similar story: https://forums.centos.org/viewtopic.php?t=52697.

So here’s the fun part. Testing an inbound port forward from inside your own network is a bit troublesome. Routing rules play some magic here, and I’d love to dig into the real explanation behind it at some point. You shouldn’t be testing ingress to your network through port forwarding from within your own network. That seems reasonable doesn’t it? I’ve known this before, so in these cases, I use my phone tethered to my laptop as a secondary external network that is COMPLETELY separate from my internal network. Except, it isn’t so when wifi on my phone is active!! Of course, your phone is going to use the fastest provided internet connection, which happens to be wifi when it is available. So, when I thought I was connected to an external network through my phone, and I had not noticed it was using my wifi network, I was really still on my own internal network. Disconnecting the wifi on the phone, refreshing all my connections/interfaces there, and then testing the exact above configuration straight out of the documentation turns out to work perfectly fine. Wow…​ four hours wasted…​

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-port_forwarding