firewalld: 端口转发无效

一，添加、删除转发端口

使防火墙支持ip伪装

# firewall-cmd --zone=public --add-masquerade

使linux内核支持ip的转发

 确定ip_forward打开

# sysctl -a | grep ip_forward
net.ipv4.ip_forward = 0

 

当前为0，设置为1

# sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
# sysctl -a | grep ip_forward
net.ipv4.ip_forward = 1

添加规则:

# firewall-cmd --add-forward-port=port=8899:proto=tcp:toaddr=172.27.117.17:toport=8001
success

查看所有规则:

# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: openvpn
  ports: 80/tcp
  protocols:
  forward: yes
  masquerade: yes
  forward-ports:
        port=8899:proto=tcp:toport=8001:toaddr=172.27.117.17
  source-ports:
  icmp-blocks:
  rich rules:

只查看转发的端口:

# firewall-cmd --list-forward-ports
port=8899:proto=tcp:toport=8001:toaddr=172.27.117.17

删除规则

# firewall-cmd --zone=public --remove-forward-port=port=8899:proto=tcp:toport=8001:toaddr=172.27.117.17
success

 

二，报错

通过浏览器访问8899端口时提示被拒绝连接

三，解决:

经检查,firewalled防火墙有两个active的zone: public和trusted

把端口转发的命令放到trusted这个zone即可