How to Forward Ports With Iptables in Linux?

Port forwarding is a technique that allows external devices to access services running on internal network devices by redirecting traffic through specific ports. When you want to run a web server from your home computer, external users need to connect through your public IP address via port 80 (HTTP) or port 443 (HTTPS). Without proper port forwarding configuration, incoming connection requests are blocked by your router's firewall, preventing access to internal services.

Iptables is a powerful Linux firewall utility that operates at the kernel level, providing robust packet filtering, NAT (Network Address Translation), and connection tracking capabilities. It can be used to configure port forwarding rules that redirect incoming traffic to specific internal addresses and ports.

Understanding Iptables

Iptables works by examining data packets as they pass through network interfaces and making decisions based on user-defined rules. It uses a hierarchical system of tables and chains to process packets:

• Tables Different categories like filter, nat, and mangle

• Chains Sets of rules within tables like INPUT, OUTPUT, FORWARD, and PREROUTING

• Rules Conditions that determine packet actions (ACCEPT, DROP, REJECT, or DNAT)

Basic Iptables Commands

# List all current rules
sudo iptables -L

# List NAT table rules
sudo iptables -t nat -L

# Flush all rules (be careful!)
sudo iptables -F

# Set default policy for a chain
sudo iptables -P INPUT ACCEPT

Setting Up Port Forwarding

Enable IP Forwarding

Before configuring iptables rules, enable IP forwarding in the kernel:

# Temporary (until reboot)
echo 1 > /proc/sys/net/ipv4/ip_forward

# Permanent (edit /etc/sysctl.conf)
net.ipv4.ip_forward = 1

Basic Port Forwarding Rules

Port forwarding uses the NAT table's PREROUTING chain with DNAT (Destination NAT) to redirect incoming traffic:

Forward Single Port

# Forward external port 8080 to internal server port 80
sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.100:80

# Allow forwarded traffic through firewall
sudo iptables -A FORWARD -p tcp -d 192.168.1.100 --dport 80 -j ACCEPT

Forward Port Range

# Forward ports 8000-8010 to internal server
sudo iptables -t nat -A PREROUTING -p tcp --dport 8000:8010 -j DNAT --to-destination 192.168.1.100:8000-8010

# Allow forwarded traffic
sudo iptables -A FORWARD -p tcp -d 192.168.1.100 --dport 8000:8010 -j ACCEPT

Forward Multiple Specific Ports

# Forward HTTP and HTTPS to web server
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.100:80
sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 192.168.1.100:443

# Allow forwarded traffic
sudo iptables -A FORWARD -p tcp -d 192.168.1.100 --dport 80 -j ACCEPT
sudo iptables -A FORWARD -p tcp -d 192.168.1.100 --dport 443 -j ACCEPT

Complete Example

Here's a complete example forwarding external SSH access on port 2222 to an internal server's port 22:

# 1. Enable IP forwarding
sudo sysctl -w net.ipv4.ip_forward=1

# 2. Add DNAT rule to forward port 2222 to internal SSH
sudo iptables -t nat -A PREROUTING -p tcp --dport 2222 -j DNAT --to-destination 192.168.1.50:22

# 3. Allow forwarded SSH traffic
sudo iptables -A FORWARD -p tcp -d 192.168.1.50 --dport 22 -j ACCEPT

# 4. Allow established connections back
sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# 5. Save rules (Ubuntu/Debian)
sudo iptables-save > /etc/iptables/rules.v4

Verification and Troubleshooting

Test your port forwarding configuration:

# Check if port is listening
sudo netstat -tulnp | grep :2222

# Test connection from external host
telnet your_public_ip 2222

# View iptables counters
sudo iptables -t nat -L -v -n

Conclusion

Port forwarding with iptables enables external access to internal network services by redirecting traffic through DNAT rules in the NAT table. The key steps involve enabling IP forwarding, creating PREROUTING rules for destination translation, and allowing forwarded traffic through the FORWARD chain. Proper configuration requires both NAT and filter table rules to work together effectively.