Firewalld – How to Port Forward Privileged Sub-1024 Port to Non-Privileged Port

The Question

How do you port forward a privileged sub-1024 port to a non-privileged 1024+ port with firewalld?

The Reason

Why we are doing this? We want to be able to switch the non-privileged 1050 port on the gateway and use a different upstream mail server. For example, to test a different spam solution, use port 1051 to send mail to a different mail server with a different spam filtering solution.

The mail servers automatically connect to the gateway when they start. The automatic connect can only happen on non-privileged ports that are 1024+.

The Layout and Setup

Layout

+--------+         +---------------------+         +----------------+
|  WAN   |         |                1050 | <-      |                |
| Client |         |       Gateway       |    \    |   Mail Server  |
|        |  <--->  | 25                  |      -> | 25             |
+--------+         +---------------------+         +----------------+

Setup Firewall

Clear the firewall, open the port, set the port forward, and add a few services.

root@gateway:~# firewall-cmd --reload
root@gateway:~# firewall-cmd --zone=public --add-port=25/tcp
root@gateway:~# firewall-cmd --zone=public --add-forward-port=port=25:proto=tcp:toport=1050
root@gateway:~# firewall-cmd --add-service={http,https,smtp}

Verify Firewall

Confirm the firewall settings…

root@gateway:~# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: etho0
  sources: 
  services: dhcpv6-client http https smtp ssh
  ports: 25/tcp
  protocols: 
  masquerade: no
  forward-ports: port=25:proto=tcp:toport=1050:toaddr=
  source-ports: 
  icmp-blocks: 
  rich rules: 

This is what we expected to see in firewall rules.

The Result

This is what we get when we telnet the upstream mail server on the gateway…

root@gateway:~# telnet localhost 1050
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 debian10email.debian10email ESMTP Postfix (Debian/GNU)

This is what we get from a remote client machine…

client@client123:~$ telnet gateway.example.org 25
Trying <IP_of_gateway>...
Connected to gateway.example.org.
Escape character is '^]'.

We are expecting to also see the 220 debian10email.debian10email ESMTP Postfix (Debian/GNU) line, but are not.

Sanity Check…

The Test

Just to confirm the port forward rules are being written correctly, we…

• Open port 1025 on the firewall.
• Port forward 1025 to 1050
• And then check what we see on the remote client.

Adjust firewall

Clear the firewall, open the port, set the port forward, and a few services.

root@gateway:~# firewall-cmd --reload
root@gateway:~# firewall-cmd --zone=public --add-port=1025/tcp
root@gateway:~# firewall-cmd --zone=public --add-forward-port=port=1025:proto=tcp:toport=1050
root@gateway:~# firewall-cmd --add-service={http,https,smtp}

Verify Firewall

root@gateway:~# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: etho0
  sources: 
  services: dhcpv6-client http https smtp ssh
  ports: 1025/tcp
  protocols: 
  masquerade: no
  forward-ports: port=1025:proto=tcp:toport=1050:toaddr=
  source-ports: 
  icmp-blocks: 
  rich rules: 

The Result

client@client123:~$ telnet gateway.example.org 1025
Trying <IP_of_gateway>...
Connected to gateway.example.org.
Escape character is '^]'.
220 debian10email.debian10email ESMTP Postfix (Debian/GNU)

We have the expected 220 debian10email.debian10email ESMTP Postfix (Debian/GNU) line, so the firewall is port forwarding as expected.

Conclusion

Forwarding between privileged and non-privileged ports is different from forwarding between non-privileged ports.

How do we port forward a privileged sub-1024 port to a non-privileged 1024+ port with firewalld on Debian 10 Buster? If there is an answer somewhere, please point it out. We have not been able to find it.