Port forwarding with firewall-cmd

port-forwarding centos7 firewalld virtual-machines

Mixing firewalld with libvirt can get you into this sort of situation.

By default with a "NAT" network, libvirt's networking will set up masquerade rules so that the VMs can access the legacy IPv4 Internet. But, libvirt blocks all incoming connections to "NAT" networks.

The solution is to change the network to a normal routed network, and then let firewalld handle any masquerading that you might require.

For instance, you would edit the network XML and change

  <forward mode='nat'/>

to

  <forward mode='route'/>

I recommend you change all libvirt NAT networks to routed, in this scenario, not just the one you want to forward ports to, if you want to allow the networks to communicate with each other.

Then you set masquerading on the firewalld zone corresponding to the interface connected to the rest of the Internet. For example:

firewall-cmd [--permanent] --zone=public --add-masquerade

(With firewalld 0.4.4.6 or later, you should not use this, but instead create a rich rule for IPv4 masquerade. These versions have a misfeature that causes an IPv6 masquerading rule to also be added when using --add-masquerade, which will break IPv6 connectivity.)

firewall-cmd [--permanent] --zone=public --add-rich-rule='rule family=ipv4 masquerade'

Related

Unable to login to Azure SQL Server using Azure Active Directory account
Tell nginx to SSL encrypt specific PHP documents
How can I prevent apache DoS flood?
Possible DNS Server memory leak
Recommended storage system for video streaming server [closed]
Unable to connect as a database contained user to an Azure SQL database
AS/400 error message - Cannot allocate device
VirtualHost not directing properly based on domain name
Debian squeeze kernel backports upgrade - moving forward?
CentOS - Percona MySQL - Not Reading /etc/my.cnf
Restrict login to SQL availability groups
nginx reverse proxy glassfish issues