How to forward incoming external packets to local port on 127.0.0.1

Latest response

For security purpose, I am figuring out a way to forward incoming external packets to local port on 127.0.0.1.
I am trying to achieve this using firewalld.

I have a service running on 127.0.0.1 9200.

[root@development services]# netstat -atunp | grep 9200
tcp6 0 0 127.0.0.1:9200 :::* LISTEN 28609/java
tcp6 0 0 ::1:9200 :::* LISTEN 28609/java

I am trying to redirect packets send to tcp/18400 to 127.0.0.1:9200.
I have defined firewalld in external zone as below. eth0 is 192.168.11.13

external (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports: port=18400:proto=tcp:toport=9200:toaddr=127.0.0.1
sourceports:
icmp-blocks:
rich rules:

Packet seems to come to the server to port 18400 but it is not redirecting to 127.0.0.1:9200.

[root@development services]# tcpdump -i any -nn port 18400
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
19:35:45.613142 IP 192.168.11.2.56184 > 192.168.11.13.18400: Flags [S], seq 3373563218, win 29200, options [mss 1460,sackOK,TS val 37682409 ecr 0,nop,wscale 7], length 0
19:35:46.659700 IP 192.168.11.2.56184 > 192.168.11.13.18400: Flags [S], seq 3373563218, win 29200, options [mss 1460,sackOK,TS val 37683456 ecr 0,nop,wscale 7], length 0

I was able redirect if the service was running on 192.168.11.13:9200.
Is it possible to redirect to service running on 127.0.0.1 with firewalld?

Responses

Hello, I think that for security reasons this is disabled be default. Try sysctl -a | grep route_localnet and see if its disabled for that interface. Then try sysctl -w net.ipv4.conf.eth0.route_localnet=1.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.