Consul port forwarding using firewalld

Hi Team ,

we need suggestion on below use case we are trying.

consul servers are running in centos7 ,and we had implemented BIND and IPtables to do port forwarding for the requests on 53 to 8600 , however we are trying to achive the same by only using ‘firewalld’ rules similar to below, can you let us know if this is good approach or could there be any functional challenges ,

[[ firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -p tcp --dport 53 -j REDIRECT --to-ports 8600
firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -p udp --dport 53 -j REDIRECT --to-ports 8600
firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 0 -p tcp --dport 53 -j REDIRECT --to-ports 8600
firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 0 -p udp --dport 53 -j REDIRECT --to-ports 8600 ]]



I don’t have hands-on experience with firewalld, but it looks to just be a higher-level wrapper around iptables.

The rule set you shared looks very similar to the iptables example we have on our Learn site for configuring Consul DNS forwarding ( I don’t believe you need to make any modifications to that rule set to achieve the desired DNS redirection.

Thanks for your reply , we see in centos7 iptables configured are getting cleared somehow by firewalld service and port forwarding not happening sometimes.

should we update only in iptables and keep firewalld not changed ?

Its difficult to make a recommendation when I do not fully understand your use case for either tool. However, I think you should choose the tool you have the most administrative experience with, and the one which allows you to achieve your desired configuration.

I apologize that I am not able to offer you a better answer. You may want consider posting your question to a CentOS message board or mailing list. I imagine that audience would have more familiarity with firewalld & would be in a better position to assist.

Best regards,