[Article] | January 15, 2024
Firewalld Fedora IPV4 IPV6 Systemd

How To Port Redirection with firewalld IPv4 and IPv6

This guide shows how to redirect incoming traffic from privileged ports (80, 443) to unprivileged ports (8080, 4443) for both IPv4 and IPv6.

This guide shows how to redirect incoming traffic from privileged ports (80, 443) to unprivileged ports (8080, 4443) for both IPv4 and IPv6.

Prerequisites

  • firewalld12 installed and running
  • Root or sudo access

Step 1: Check Current Configuration

# Check if firewalld is running
sudo systemctl status firewalld

# List current zones and rules
sudo firewall-cmd --list-all

Step 2: Add Port Redirection Rules

Rich rules give you explicit control over IPv4 and IPv6 separately:

# Add IPv4 port forwarding
sudo firewall-cmd --add-rich-rule='rule family=ipv4 forward-port port=80 protocol=tcp to-port=8080'
sudo firewall-cmd --add-rich-rule='rule family=ipv4 forward-port port=443 protocol=tcp to-port=4443'

# Add IPv6 port forwarding  
sudo firewall-cmd --add-rich-rule='rule family=ipv6 forward-port port=80 protocol=tcp to-port=8080'
sudo firewall-cmd --add-rich-rule='rule family=ipv6 forward-port port=443 protocol=tcp to-port=4443'

Method 2: Using Forward-Port Rules

# Basic forward-port (IPv4 only by default)
sudo firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080

# For IPv6, specify the local IPv8 address
sudo firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=[::1]

Step 3: Make Rules Permanent

# Option A: Make current runtime rules permanent
sudo firewall-cmd --runtime-to-permanent

# Option B: Add rules directly as permanent
sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 forward-port port=80 protocol=tcp to-port=8080'
# ... repeat for all rules with --permanent flag
sudo firewall-cmd --reload

Step 4: Verify Configuration

# Check rich rules
sudo firewall-cmd --list-rich-rules

# Check forward-port rules
sudo firewall-cmd --list-forward-ports

# Test the redirection
curl -4 http://your-server-ip        # Should reach port 8080
curl -6 http://[your-ipv6-address]   # Should reach port 8080

Step 5: Enable IP Forwarding (if needed)

For some setups, you might need to enable IP forwarding:

# Check current status
cat /proc/sys/net/ipv4/ip_forward
cat /proc/sys/net/ipv6/conf/all/forwarding

# Enable temporarily
sudo sysctl net.ipv4.ip_forward=1
sudo sysctl net.ipv6.conf.all.forwarding=1

# Make permanent
echo 'net.ipv4.ip_for
# Add rich rules that work for both IPv4 and IPv6
sudo firewall-cmd --zone=trusted --add-rich-rule='rule family=ipv4 forward-port port=80 protocol=tcp to-port=8080'
sudo firewall-cmd --zone=trusted --add-rich-rule='rule family=ipv6 forward-port port=80 protocol=tcp to-port=8080'

Footnotes

  1. https://www.redhat.com/en/blog/beginners-guide-firewalld

  2. https://firewalld.org/

jee
- 2026
version: 0.11.0 changelog code
Legal notice