Port Forwarding with the Firewall

Hands-On Lab


Photo of Michael Christian

Michael Christian

Course Development Director in Content





In this learning activity, you will need to configure port forwarding that will selectively forward web requests from one host to another.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Port Forwarding with the Firewall

The Scenario

A business unit is requesting the ability to serve content from an in-development web stack to a subnet, in order to facilitate validation and testing.

We have three hosts:

  • Server1 The current web server
  • Server2 The in-development web server
  • Client1 For testing

We need to configure Server1 so that incoming web traffic (port 80) requests from are forwarded to Server2. Requests from all other sources should remain unforwarded. We will need to do this using firewalld.

Logging In

Use the login information on the hands-on lab overview page to access the servers with SSH. Pay attention to the shell prompts in the lab guide, as they'll indicate which server we're in when we run a command.

Verify port 80 is open on Server1 and Server2

We'll want to verify that content is being served over port 80 on both Server1 and Server2.

From Client1

We can verify web content availability from Server1 and Server2 with these commands:

[cloud_user@Client1]$ curl
[cloud_user@Client1]$ curl

Create a Zone, testing, to Handle the Subnet Requests

On Server1

Once we're logged in, become root (with the su - command).

Create a new firewall zone and reload the configuration, to pick up the new zone:

[root@Server1]# firewall-cmd --permanent --new-zone=testing
[root@Server1]# firewall-cmd --reload

Add the subnet as the source:

[root@Server1]# firewall-cmd --permanent --zone=testing --add-source=`

Make sure http as a service is added and reload the configuration again to pick up these changes:

[root@Server1]# firewall-cmd --permanent --zone=testing --add-service=http`
[root@Server1]# firewall-cmd --reload

Enable Masquerading for the Zone

We need to enable masquerading for the zone, in order to permit forwarding, and reload again:

[root@Server1]# firewall-cmd --permanent --zone=testing --add-masquerade
[root@Server1]# firewall-cmd --reload

Add the Forwarding Rule to the Zone

We have to add a rule that forwards traffic coming in from the testing zone on port 80 out to, and reload the configuration again:

[root@Server1]# firewall-cmd --permanent --zone=testing  
[root@Server1]# firewall-cmd --reload

Confirm the Port is Forwarded

We can confirm that the port is forwarded by running curl on the site from Client1:

[cloud_user@Client1]# curl

We see web content from Server2. To test further, we can run curl on the public IP of Server1, and we'll see Server1 web content instead. That's good, because we only wanted to forward traffic coming from the specified subnet.


Here's the rundown of what we've done. We confirmed that Client1 can access the web servers on Server1 and Server2 directly. In the firewall on Server1, we added a new zone called testing. Then we added the subnet Client1 is sitting in as a source for zone testing, opened port 80, enabled masquerading. Finally, we added a "forward" port, so any traffic coming from the specified subnet on port 80 is forwarded from Server1 to Server2.

That's quite a job. Congratulations!