Port forwarding in UFW can be tricky if you are not familiar with the working of the firewall.
UFW is a user-friendly firewall and can set up port forwarding with a few steps. Port forwarding helps to keep unwanted traffic off from servers.
At Bobcares, we often receive requests regarding the port forwarding as a part of our Server Management Services.
Today, let us discuss how Support Engineers set up port forwarding for our customers.
DNAT and PREROUTING
DNAT stands for Destination Network Address Translation that helps to change the destination port in the TCP/UDP headers.
It is used to redirect incoming packets with a destination of a public address/port to a private IP address/port inside a network.
PREROUTING is mostly used in DNAT. It will give access to internal machines. Even before a routing decision is made we need to alter its Destination address.
In short, port forwarding or port mapping is an application of network address translation (NAT).
How to set up port forwarding in UFW
Recently one of our customers contacted us to forward the incoming traffic for his port 80 to another interface to port 8080. Let us discuss how our Support Engineers setup port forwarding.
UFW Port forwarding to different IPs and ports
To set up port fowrading we need to enable IP forwarding at sysctl.conf. Our Support Engineers edit the file.
vi /etc/sysctl.confWe un-comment the line by removing the # for “net.ipv4.ip_forward” to enable it.
If it is not present we will add the below line in the file and save the file.
net.ipv4.ip_forward=1Reload using the command.
sysctl -pNow we need to open the port for server for port forwarding. Else UFW will block the requests that need to be redirected.
ufw allow proto tcp from any to 2xx.2xx.1xx.0 port 8080The port forwarding rule needs to enter in the file before.rules. We edit the file and add the below entry.
vi /etc/ufw/before.rules*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -d 2xx.2xx.1xx.0 -p tcp --dport 80 -j DNAT --to-destination 1xx.1xx.2xx.0:8080
# setup routing
-A POSTROUTING -s 1xx.1xx.2xx.0/24 ! -d 1xx.1xx.2xx.0/24 -j MASQUERADE
COMMITAfter entering the details save the file.
Finally, restart the ufw service.
systemctl restart ufw
UFW Port forwarding to a different port
Another customer contacted us and requested us to forward his traffic for port 80 to port 440. Let us discuss how our Support Engineers set it up for our customers.
First, we allow the port 440 in the firewall.
ufw allow 440Add the below rules in before.rules file.
vi /etc/ufw/before.rules*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 440
COMMITSave the file. Finally, we restart the service to make the changes effective.
service ufw restart[Need help to set up UFW port forwarding? We’ll help you.]
Conclusion
In short, we discussed DNAT and PREROUTING and how we port forward from one port to another. Also, we have discussed how our Support Engineers set up port forwarding for port 80 to an internal interface.
Doesn’t work:
Jun 22 11:13:46 gs580s-u18njh ufw-init[974]: Bad argument `*nat’
Hi Nigel,
Looks like a wrong edit in the config file.
If you still have errors and need help, we’ll be happy to talk to you on chat (click on the icon at right-bottom).
Hello! I tried to do TCP port forwarding successfully. However, it seems the same steps if I use UDP it just don’t work.
Any hints?
Hello William,
We’ll be happy to talk to you on chat regarding the issue (click on the icon at right-bottom).