How to Properly Forward Port 80 to 8080 for JBoss on CentOS 7 Using Firewall-cmd

When setting up JBoss/WildFly on port 80, we immediately face the Linux port restriction - only root can bind to ports below 1024. While running JBoss as root would technically solve this, it's a terrible security practice. Port forwarding becomes our elegant solution.

Your initial approach with firewall-cmd was correct, but likely missing some critical pieces. Let me outline the complete working configuration:

# First, permanently open both ports
firewall-cmd --permanent --zone=public --add-port=80/tcp
firewall-cmd --permanent --zone=public --add-port=8080/tcp

# Enable masquerading (NAT)
firewall-cmd --permanent --zone=public --add-masquerade

# Add the port forward rule (notice the colon syntax)
firewall-cmd --permanent --zone=public --add-forward-port=port=80:proto=tcp:toport=8080

# Reload to apply changes
firewall-cmd --reload

After applying these rules, verify your setup:

# Check open ports
firewall-cmd --list-ports

# Check forward rules
firewall-cmd --list-forward-ports

# Test connectivity (from another machine)
curl -I http://your-server-ip

SELinux interference: CentOS 7's SELinux might block the forwarding. Check with:

# Check SELinux port context
semanage port -l | grep http

# If needed, add http_port_t to 8080
semanage port -a -t http_port_t -p tcp 8080

Binding issues: Ensure JBoss is properly bound to 0.0.0.0 in standalone.xml:

<interface name="public">
    <inet-address value="${jboss.bind.address:0.0.0.0}"/>
</interface>

If firewall-cmd proves problematic, consider these alternatives:

# Using iptables directly:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
service iptables save

# Or Apache/Nginx reverse proxy:
<VirtualHost *:80>
    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/
</VirtualHost>

When deploying JBoss (WildFly) on CentOS 7, running on privileged port 80 requires special configuration since non-root users typically can't bind to ports below 1024. While you could run JBoss as root, this creates significant security vulnerabilities.

The complete solution requires three firewall-cmd operations working together:

# Open both ports
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=8080/tcp --permanent

# Enable masquerade
firewall-cmd --zone=public --add-masquerade --permanent

# Add port forwarding rule
firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=8080 --permanent

# Reload firewall
firewall-cmd --reload

Check all rules are properly applied:

firewall-cmd --zone=public --list-all

This should show ports 80 and 8080 open, masquerade enabled, and the forward-port rule present.

SELinux Context: If forwarding still doesn't work, check SELinux:

semanage port -a -t http_port_t -p tcp 8080

Testing Connectivity: Verify from another machine:

curl -I http://your-server-ip

Instead of port forwarding, you can configure JBoss to use port 80 through authbind:

# Install authbind
yum install authbind

# Configure for port 80
touch /etc/authbind/byport/80
chmod 500 /etc/authbind/byport/80
chown jboss_user /etc/authbind/byport/80

# Launch JBoss with authbind
authbind --deep /path/to/jboss/startup/script

Port forwarding adds minimal overhead (≈1-3% latency) compared to native port binding. For high-traffic installations, consider load balancing solutions or configuring JBoss to bind directly to port 80 via the methods above.