CENTOS7-FIREWALLD Port Forwarding (for shadowsocks)
Redirect inbound network packets from one port or address to an alternative port or address, enabling IP masquerading as a zone, such as external, by entering the following command as root:
~]# firewall-cmd --zone=external --add-masquerade
To forward packets to a local port, which is a port on the same system, enter the following command as root:
~]# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=3753
In this example, packets for port 22 are now forwarded to the original destination port specified as 3753. The port
option can be a single port or a range of ports, combined with the protocol. The protocol, if specified, must be either tcp
or udp
. The new local port or range of ports, whose traffic is being forwarded, is specified with the toport
option. To make this setting permanent, add the --permanent
option and reload the firewall.
To forward packets to another IPv4
address, typically an internal address, without changing the destination port, enter the following command as root:
~]# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toaddr=192.0.2.55
In this example, packets for port 22 are now forwarded to the same port at the given address specified by toaddr
. The original destination port is specified with port
. The port
option can be a single port or a range of ports, combined with the protocol. The protocol, if specified, must be either tcp
or udp
. The new destination port or range of ports to which the communication is being forwarded is specified with the toport
option. To make this setting permanent, add the --permanent
option and reload the firewall.
To forward packets to another IPv4
address, typically an internal address, and another port, enter the following command as root:
~]# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=2055:toaddr=192.0.2.55
In this example, packets for port 22 at the given address are now forwarded to port 2055 with toaddr
. The original destination port is specified with port
. The port
option can be a single port or a range of ports, combined with the protocol. The protocol, if specified, must be either tcp
or udp
. The new destination port or range of ports to which the communication is being forwarded is specified with the toport
option. To make this setting permanent, add the --permanent
option and reload the firewall.
firewall-cmd --reload # Reload the firewall configuration firewall-cmd --list-all # View all information