Post

Linux - Port Forward Using IPTables

Posted Updated
By harryvasanth 2 min read

First of all, we need to check if port forwarding is enabled or not on our server. For better understanding, we will be using ens18 as a reference interface and all our command executions will be related to ens18 in this post.

Check if port forwarding is enabled in Linux

Either we can use sysctl to check if forwarding is enabled or not. Use below command to check:

1
2
3

[[email protected] ~]# sysctl -a | grep -i ens18.forwarding
net.ipv4.conf.ens18.forwarding = 0
net.ipv6.conf.ens18.forwarding = 0

Since both values are zero, port forwarding is disabled for ipv4 and ipv6 on interface ens18. We can also use the process filesystem to check if port forwarding is enabled or not.

1
2
3
4
5

[[email protected] ~]# cat /proc/sys/net/ipv4/conf/ens18/forwarding
0

[[email protected] ~]# cat /proc/sys/net/ipv6/conf/ens18/forwarding
0

Again here process FS with zero values confirms port forwarding is disabled on our system. Now we need to first enable port forwarding on our system then we will configure port forwarding rules in iptables.

Enable port forwarding in Linux

As we checked above, using the same methods we can enable port forwarding in Linux. But its recommended using sysctl command rather than replacing 0 by 1 in proc files.

Enable port forwarding in Linux using sysctl command:

1
2
3
4
5

[[email protected] ~]# sysctl net.ipv4.conf.ens18.forwarding=1
net.ipv4.conf.ens18.forwarding = 1

[[email protected] ~]# sysctl net.ipv6.conf.ens18.forwarding=1
net.ipv6.conf.ens18.forwarding = 1

To make it persistent over reboots, add parameters in /etc/sysctl.conf :

1
2
3
4
5
6
7

[[email protected] ~]# echo "net.ipv4.conf.ens18.forwarding = 1">>/etc/sysctl.conf

[[email protected] ~]# echo "net.ipv6.conf.ens18.forwarding = 1">>/etc/sysctl.conf

[[email protected] ~]# sysctl -p
net.ipv4.conf.ens18.forwarding = 1
net.ipv6.conf.ens18.forwarding = 1

Now, we have port forwarding enabled on our server, we can go ahead with configuring port forwarding rules using iptables.

Forward ports in Linux

Here we will forward tcp port 80 to tcp port 8080 on 192.168.1.1. Do not get confused port forwarding with port redirection.We need to insert an entry in PREROUTING chain of iptables with DNAT target. Command will be as follows:

1
2

iptables -A PREROUTING -t nat -i ens18 -p tcp --dport 80 -j DNAT --to 192.168.1.1:8080
iptables -A FORWARD -p tcp -d 192.168.1.1 --dport 8080 -j ACCEPT

Change interface, IP and ports as per our requirement. The first command tells us to redirect packets coming to port 80 to IP 192.168.1.1 on port 8080. Now packet also needs to go through FORWARD chain so we are allowing in in the second command. Now rules have been applied. We need to verify them.

Check port forwarding IPTables rules

Command to verify port forwarding rules is:

1
2
3
4

[[email protected] ~]# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 1 packets, 30 bytes)
pkts    bytes   target      prot    opt in      out source      destination
  84    5000    REDIRECT    tcp     --  ens18   *   0.0.0.0/0   0.0.0.0/0   tcp dpt:80 to:192.168.1.1:8080

Here REDIRECT target means it’s a redirection rule. Since we have configured the forwarding rule we see the target as DNAT.

Save IPTables rules

To save iptables rules and make them persistent over reboots use the following command:

1

[[email protected] ~]# iptables-save
linux
general
This post is licensed under CC BY 4.0 by the author.