Port forwarding

Port forwarding, also known as port mapping, is a technique used in computer networking to redirect network communication traffic from a specific combination of an external IP address and port number to a particular internal private IP address and port number within a private network. It is typically configured on a Router or firewall that performs NAT (Network Address Translation).

The main purpose of port forwarding is to make a specific service running on a device within a private network accessible from an external network, such as the Internet. Without port forwarding, unsolicited incoming connections from the internet are generally blocked by NAT.

Overview and Purpose

Most home and small office networks use NAT to allow multiple devices to share a single public IP address. A side effect of NAT (specifically SNAT/Masquerading) is that while devices on the private network can easily initiate outgoing connections, external devices cannot initiate incoming connections directly to devices on the private network because their private IP addresses are hidden.

Port forwarding overcomes this limitation. It creates a rule on the NAT device that says, "Any incoming traffic arriving at my public IP address on a specific external port should be automatically redirected to a specific internal IP address and port on the private network." This allows external users or services to connect to a service running on an internal machine.

How it Works

Port forwarding is essentially a specific application of Destination NAT (DNAT). When an incoming packet arrives at the NAT router from the external network:

1. The router examines the packet's destination IP address (which is the router's public IP) and the destination port number. 2. It checks its port forwarding table for a rule that matches this incoming public port (and often the incoming public IP and/or protocol like TCP/UDP). 3. If a matching rule is found, the router performs DNAT: it changes the packet's destination IP address from the public IP to the specified internal private IP address and changes the destination port to the specified internal port. 4. The packet is then forwarded into the private network to the designated internal device. 5. The internal device receives the packet as if it were addressed directly to it (but with the source IP of the original external sender). Response packets from the internal device will then be automatically translated back by the NAT router using SNAT/Masquerading as they leave the network.

Uses of Port Forwarding

Port forwarding is used whenever you need to make a service running on a device within a private network reachable from outside that network. Common uses include:

• **Hosting Services:** Making internal web servers (port 80/443), mail servers (port 25/110/143/465/587/993/995), FTP servers (port 21/usually passive range), or other application servers accessible publicly.
• **Remote Access:** Allowing external access via SSH (port 22), VNC, RDP (port 3389), or other remote administration tools to internal machines.
• **Game Servers:** Allowing external players to connect to game servers hosted on an internal computer.
• **Peer-to-Peer Applications:** Enabling applications like BitTorrent clients to receive incoming connections from other peers, which is often necessary for efficient uploading (Seeding) and sometimes for downloading, particularly in active peer-to-peer setups.
• **Accessing Network Devices:** Reaching internal IP cameras, Network Attached Storage (NAS) devices, or other network hardware from outside the network.

Basic History of Network Ports

The concept of network ports arose with the development of early networking protocols, becoming formalized with the TCP/IP model in the 1970s and 1980s. A port is a logical endpoint within an IP address that distinguishes different services or applications running on a single machine. Since a computer can run multiple network applications simultaneously (a web server, an email server, an SSH server), ports allow traffic directed to that IP address to be correctly routed to the appropriate application.

Ports are numbered from 0 to 65535 for both TCP and UDP. Certain port ranges have designated uses:

• Well-known ports (0-1023): Reserved for common services (e.g., 80 for HTTP, 443 for HTTPS, 22 for SSH, 21 for FTP).
• Registered ports (1024-49151): Can be registered by software vendors for specific applications.
• Dynamic/Private ports (49152-65535): Free for use by client applications for outgoing connections or by servers for non-registered services.

The assignment and management of well-known and registered ports are overseen by the IANA.

Tutorial: Port Forwarding on Linux (Debian) Server

This tutorial explains how to set up Port forwarding (DNAT) on a Linux server running a Debian-based distribution that is acting as your NAT gateway. This allows external connections arriving on a specific public port to be redirected to a device and port on your internal private network.

Scenario:

• Your Linux server is already set up as a NAT gateway (IP forwarding enabled, Masquerading configured - see NAT Tutorial).
• Your server has a public IP on one interface (e.g., `eth0`) and a private IP on another interface connected to your internal network (e.g., `eth1`).
• You want to forward incoming connections on a specific public TCP or UDP port to a specific internal private IP and port.

Prerequisites:

• A Debian-based Linux server acting as a NAT gateway.
• Command-line access (SSH).
• sudo privileges.
• Knowledge of your internal device's static private IP address and the port it's listening on.
• Knowledge of your server's public-facing network interface name (e.g., `eth0`).

Steps:

1. Ensure ufw is installed and enabled:

Port forwarding rules are often managed within the firewall configuration.

     sudo apt update
     sudo apt install ufw -y
     sudo ufw status verbose # Check if active
     # If inactive and you allowed SSH: sudo ufw enable

1. Add the Port Forwarding (DNAT) Rule:

DNAT rules typically need to be processed very early, before standard filtering rules. In `ufw`, this is done by editing the `before.rules` file. Open the `before.rules` file for editing:

     sudo nano /etc/ufw/before.rules

Scroll down to the section that starts with `*nat` and ends with `COMMIT`. Add your DNAT rule(s) *after* the initial `:PREROUTING ACCEPT [0:0]` line in the `*nat` section.

Replace `your_public_interface`, `public_port`, `protocol` (tcp or udp), `internal_ip`, and `internal_port` with your specific values.

 iptables

1. Before this line:
2. ok nat

1. Put your DNAT rules here

   :PREROUTING ACCEPT [0:0]

1. Example: Forward public TCP port 80 to internal web server at 192.168.1.100 on port 80

   -A PREROUTING -i your_public_interface -p tcp --dport 80 -j DNAT --to-destination 192.168.1.100:80

1. Example: Forward public UDP port 12345 to internal game server at 192.168.1.200 on port 12345

   -A PREROUTING -i your_public_interface -p udp --dport 12345 -j DNAT --to-destination 192.168.1.200:12345

1. Example: Forward public TCP port 2222 to internal SSH server at 192.168.1.50 on port 22
2. Useful if you want to access internal SSH without exposing server's own SSH on 22

   -A PREROUTING -i your_public_interface -p tcp --dport 2222 -j DNAT --to-destination 192.168.1.50:22

1. Don't delete the COMMIT line:
2. COMMIT

   * `-A PREROUTING`: Append the rule to the PREROUTING chain (processes incoming packets before routing).
   * `-i your_public_interface`: Match packets arriving on your server's public-facing interface.
   * `-p protocol`: Specify the protocol (tcp or udp).
   * `--dport public_port`: Match packets destined for the public port you want to forward.
   * `-j DNAT`: Jump to the DNAT target (perform Destination NAT).
   * `--to-destination internal_ip:internal_port`: The new destination IP and port for the packet.

Save and close the `before.rules` file.

1. Allow the traffic through ufw's main filter rules (important):

Even though you've set up DNAT, `ufw`'s main filter rules will likely block the traffic *after* it's been translated to the internal IP/port, unless explicitly allowed. You need to add a rule to `ufw` to allow traffic destined for the *internal IP and internal port*.

     sudo ufw allow from any to 192.168.1.100 port 80 proto tcp # Allow traffic to internal IP 192.168.1.100 on port 80 TCP
     sudo ufw allow from any to 192.168.1.200 port 12345 proto udp # Allow traffic to internal IP 192.168.1.200 on port 12345 UDP
     sudo ufw allow from any to 192.168.1.50 port 22 proto tcp # Allow traffic to internal IP 192.168.1.50 on port 22 TCP

Replace IPs, ports, and protocols with your specific values. Note that you are allowing traffic *to the internal IP and port*, not the public one, because the NAT translation happens before the packet hits the main filter chains.

1. Reload ufw to apply changes:

     sudo ufw reload

1. Verify the setup:

• From an external network, try accessing the service using your server's public IP and the public port you forwarded (e.g., `http://your_public_ip:80` if you forwarded port 80).
• You can view the active NAT rules using `sudo iptables -t nat -L -v -n` (ufw translates its rules to iptables/nftables).

Using iptables or nftables Directly: If you prefer not to use `ufw`'s simplification or need more complex rules, you would use the `iptables` or `nftables` commands directly (as shown in the rule examples above) and save/load them persistently (see NAT Tutorial for saving/loading rules).

See also

• NAT
• DNAT
• Port (computer networking)
• TCP
• UDP
• Firewall (computing)
• Virtual hosting
• IP address

External links

• Cloudflare: What is Port Forwarding?
• IANA Service Name and Transport Protocol Port Number Registry
• Ubuntu Wiki: UFW Postrouting (includes NAT examples)