How to: Use iptables for port forwarding

Routers contain a pre-defined port forwarding function that allows you to forwards certain ports to computer or devices on your local network. In most cases, these routers are nothing but computers designed to move data from one port or another. Also, the routers are most likely running a variant of Linux and that the firewall is running iptables. Here’s how you can foward ports to hosts on a Linux machine using iptables.

Iptables NAT

The iptables system contains a table for NAT(Network Address Translation). This allows for the manipulation and translation of packets coming into and out of the Linux system. Examples of use include masquerading packets if the incoming source is on a completely different subnet(WAN to LAN and vice versa). Not only that, you may also foward packets to certain ports on the system or even the entire network.

Destination NAT

Port forwarding on iptables is done with something called a Destination NAT. This will tell the incoming packs, depending on the conditions implied, to route through a different port or address. For this, we will need to do this through iptables’ NAT PREROUTING chain. This chain is for packets coming into the system before they’re filtered through the rest of our firewall.

For example, maybe we want to forward our incoming SSH requests to another computer on our network instead of this one. We can simply do it like this:

iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination yourip:22

Any SSH requests made on port 22 will now be forwarded to yourip:22. This situation is mostly for designating Linux machines as routers or if you’re running a type 2 hypervisor(VM host with guests inside).

Another neat trick would be forwarding all incoming port 80 requests to a squid server:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination squidserverIP:3128

Again, this would only work best if your Linux machine is acting as a router and you want to route all HTTP traffic through a squid server.

Maybe you’re running an FTP server on your VM and want to forward a range of ports for passive connection:

iptables -t nat -A PREROUTING -p tcp --dport 1020:1030 -j DNAT --to-destination IPADDR

By appending the colon in between 1020 and 1030, we are telling iptables to forward any ports between those 2 ranges to the destination IP. This time, there’s no need to define a port for the DNAT because a range is being used for the condition and the destination server will know the port for each incoming packet.

These are one of many examples when it comes to forwarding ports. More to come!