Susefirewall: redirect an external IP-call to an internal server


we own a static external IP
I’m redirecting external calls on to our intranet server for using our internal forum-software, using Susefirewall2 with “FW_FORWARD_MASQ”. This works well.

Calling from internal network (intranet) doesn’t work, our superordinate IT doesn’t allow using the external Ip from intranet.

I tried following solution on our internet-proxy-server:
If a call comes from network for adress on port 30443 redirect the call to IP using port 30443.

My implementation in Susefirewall2:

Basing on the example in documentation:

Examples: - “,,tcp,80” forward all tcp request on

port 80 coming from the network to the

internal server

- “,,tcp,80,81” forward all tcp request on

port 80 coming from the network to the

internal server on port 81

- “,,tcp,80,81,”

the network trying to access the

address on port 80 will be forwarded

to the internal server on port 81

But it doesn’t work. :expressionless:
Any Idea?

Thanks for your help,

Do you control your own intranet DNS?
If so, can you configure it as a normal DNS instead of a forwarding only DNS? If this is possible, then your solution is simple… Create your intranet’s Domain zone and populate it with internal IP addresses instead of the public IP addresses on the Internet.

This a variation on “Poisoning DNS” but is where you do this intentionally for good and is not a malicious hack.

Even if you can’t do this with an intranet DNS, for a small network you can distribute a custom Hosts file with the required records pointing to intranet addresses, and if you want to ease managing so many Hosts files can often be distributed using DHCP.


On Leap 15 you should have firewalld instead of SuSEfirewall. Is this an upgrade of a previous openSUSE version?
You should have a script installed susefirewall2-to-firewalld, to migrate. Firewalld has a nice interface ( bit of a learning curve ) with lots of options.
And yes, it provides port forwarding.

If I understand the following from the @OP, simply changing the firewall management isn’t enough

our superordinate IT doesn't allow using the external Ip from intranet.

The solution I propose points each Host in the private network to the private IP address of the webserver instead of to the public IP address, then performing a hairpin turn passing through the external firewall to the internal web server.