1. Introduction
Port redirection is a powerful technique that allows us to control and manage network traffic by redirecting one port to another. Port redirection offers benefits such as enhanced security, remote access capabilities flexibility, and efficient traffic routing to different applications or services.
In this tutorial, we’ll delve into port redirection and explore various methods to implement it on a Linux machine. We’ll discuss different tools and methods, including iptables, firewalld, and others. Furthermore, we’ll see code examples with details for each method.
2. Environment and Result Verification
For the methods below to work both within and outside our network, we’ll need to enable packet forwarding:
$ sudo echo 1 > /proc/sys/net/ipv4/ip_forward
Notably, it’s not advisable to use multiple port redirection methods simultaneously as this can cause conflicts and unexpected behavior.
For each method, we can verify port redirection via nc:
$ nc -l -p 8080
Here, the nc command listens on port 8080. We used -l for listening and -p to define our port.
Now, we’ll open a new terminal and send a message to the redirected port 80:
$ echo "Test message" | nc localhost 80
In this example, we sent our test message to the local machine on port 80. If port redirection between ports 80 and 8080 is properly configured, the redirected message will be received at the nc server end port 8080.
3. Using iptables
iptables is a powerful firewall tool that allows us to control network traffic. Moreover, we can use iptables for port redirection by changing the network packets as they pass through the Linux kernel’s networking stack.
Firstly, we’ll install iptables via apt-get:
$ sudo apt-get install iptables
Secondly, we’ll use the PREROUTING chain with the NAT table:
$ iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
In this case, we redirect incoming TCP traffic from port 80 to port 8080:
- -t nat points to the NAT table, responsible for network address translation
- -A PREROUTING appends the rule to the PREROUTING chain
- -p tcp applies the rule to TCP traffic
- –dport 80 sets the forwarded port as 80
- -j REDIRECT ensures we have the correct action for the packets
- –to-port 8080 sets the forward port as 8080
Finally, we’ll save the iptables configuration:
$ sudo su -c 'iptables-save > /etc/iptables/iptables.rules'
In this example, we switch to the root user and execute the iptables-save command to save the current iptables rules into the iptables.rules file.
4. Using socat
socat is a versatile tool for data transfer and networking. It enables communication between different endpoints like sockets, files, or processes. We can use socat for port redirection as well.
First, let’s install socat:
$ sudo apt-get install socat
Then, we’ll use the tool to define a rule:
$ sudo socat TCP-LISTEN:80,fork TCP:localhost:8080
After running socat with this rule, it listens on port 80 and redirects the traffic to port 8080.
Here, we used several options:
- TCP-LISTEN:80 sets the source port on which socat listens for incoming connections to 80
- fork allows socat to handle multiple connections
- TCP:localhost:8080 redirects the traffic to the selected destination port on the local machine
Now, we can achieve flexible and efficient redirection of network traffic to the desired ports on the local machine.
Since socat doesn’t automatically continue the port redirection setting, we can create a startup script to ensure the setting is started at the system boot.
So, we’ll create a service file:
$ cat /etc/systemd/system/socat-port-forward.service
[Unit]
Description=Socat Port Forwarding
After=network.target
[Service]
ExecStart=/usr/bin/socat TCP-LISTEN:80,fork TCP:localhost:8080
[Install]
WantedBy=multi-user.target
In this sample service file, we defined several options:
- Description – short description of the service
- After – specifies that the service should start after the network is up
- ExecStart – command to be executed when the service is started
- WantedBy – service should be enabled and started when the system reaches the multi-user target
Now, we’ll set the proper unit file permissions with chmod:
$ chmod 644 socat-port-forward.service
This command sets the file permissions as follows:
- 6 – read and write for the owner of the file
- 4 – read-only for the group that owns the file
- 4 – read-only for others, everyone else
Then, we can enable the service start at boot time:
$ sudo systemctl enable socat-port-forward
Finally, we can start the service manually:
$ sudo systemctl start socat-port-forward
The service should now be active, and should automatically start at system startup, persisting the redirection.
5. Using UFW
UFW (Uncomplicated Firewall) is a tool for managing firewall rules in Linux. Moreover, UFW provides a simplified interface to iptables and allows us to configure port redirection. By defining UFW rules, we can redirect network traffic from one port to another.
Firstly, we’ll install UFW:
$ sudo apt install ufw
Secondly, we’ll enable UFW:
$ sudo ufw enable
Thirdly, we allow incoming connections to our forwarded port:
$ sudo ufw allow 80
Now, we’ll set up a rule:
$ sudo ufw route allow from any port 80 to 127.0.0.1 port 8080
Here, we allow port 80 traffic to be redirected to port 8080 on the localhost:
- route allow – specifies that we want to create a routing rule
- from any – allow any source host and IP
- 80 – incoming traffic on port 80
- to 127.0.0.1 – sets the destination IP address as localhost
- port 8080 – traffic should be redirected to port 8080
Finally, we’ll save the rule:
$ sudo su -c 'ufw export save > /etc/ufw/user.rules'
This way, we ensure the action persists after a system restart.
6. Using firewalld
firewalld is a full-fledged firewall for Linux systems. firewalld provides an interface to configure and manage firewall rules. Besides, firewalld supports port redirection and allows specific network ports to be redirected to one another.
First, we’ll install firewalld using apt:
$ sudo apt install firewalld
Now, we’ll start the firewalld service:
$ sudo systemctl start firewalld
Then, let’s enable firewalld to start on boot:
$ sudo systemctl enable firewalld
Next, we’ll allow incoming connections:
$ sudo firewall-cmd --zone=public --add-port=80/tcp
In this example, we used –zone to set the firewall zone in which the rule should be applied to public. Moreover, by using –add-port we added a rule to allow incoming traffic on port 80 using the TCP protocol.
Then, we can set up port redirection:
$ sudo firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=127.0.0.1
Here, we used several options:
- –zone specifies the firewall zone in which the rule should be applied
- –add-forward-port adds a port forwarding rule
- port=80 sets the forwarded port that we redirect from as 80
- proto=TCP sets the TCP protocol for the rule
- toport=8080 sets the forward port that we’re redirecting to as 8080
- toaddr=127.0.0.1 configures the destination address to which the traffic should be redirected
Then, we’ll save the firewalld setting via the –runtime-to-permanent option:
$ sudo firewall-cmd --runtime-to-permanent
At this point, we’ve redirected port 80 to 8080, and the redirection remains after a restart.
7. Using nftables
nftables is a packet-filtering framework for Linux. It allows fine-grained control over network traffic using rules and tables. Moreover, with nftables, we can configure port redirection. This is achieved by defining rules that redirect incoming traffic from one port to another on the local machine.
First, let’s install nftables:
$ sudo apt install nftables
Then, we’ll start the nftables service:
$ sudo systemctl start nftables
Next, we’ll enable nftables to start on boot:
$ sudo systemctl enable nftables
Now, we’ll create the forward.nft setting file:
$ cat forward.nft
table ip nat {
chain PREROUTING {
type nat hook prerouting priority 0;
tcp dport 80 dnat to 127.0.0.1:8080
}
}
This setting sets up a NAT table in the ip family and defines a PREROUTING chain. Moreover, the TCP dport 80 rule matches incoming TCP traffic on port 80. Besides, the dnat to 127.0.0.1:8080 action redirects the port 80 traffic to port 8080 on the local machine.
Finally, let’s process and apply the file contents as rules:
$ sudo nft -f forward.nft
Here, we used the -f option to set the following argument file that contains a set of nftables rules.
8. Conclusion
In this article, we used various methods to implement port redirection on Linux machines, including iptables, socat, UFW, firewalld, and nftables.
Firstly, we used iptables to change network packets and redirect traffic by using a chain in the NAT table. We also learned how to persist iptables rules across system reboots.
Next, with socat, we performed port redirection by listening to an exact port and redirection incoming traffic to another port. Besides, we created a system service to automatically initiate socat during system boot.
Also, UFW provided a simplified interface for setting port redirection via the definition of rules. We allowed incoming connections on defined ports and set port forwarding using the UFW route command.
Moreover, we saw that firewalld enabled port redirection by allowing us to define firewall zones and redirection rules.
Lastly, we explored nftables, a packet-filtering framework. We defined rules in a setting file to redirect incoming traffic between ports.
Now, we can effectively manage and control network traffic through port redirection on our Linux machine.