How to Check Whether Port Forwarding Is Enabled on a Linux Machine

Last updated: March 18, 2024

Reviewed by: Hiks Gerganov

1. Introduction

Port forwarding is an important aspect of network setting configuration. For example, we can redirect incoming network traffic from one port to another, enabling access to services and enhancing network security. In fact, checking whether port forwarding is enabled can be crucial for troubleshooting, security audits, and maintaining smooth network operation.

In this tutorial, we’ll explore how we can check the port forwarding configuration with different firewalls.

Notably, before setting up port forwarding, we need to enable packet forwarding on the network device or system that will be responsible for routing the network traffic.

2. Using iptables

iptables is a powerful command-line utility for managing firewall rules and network traffic. iptables allows us to configure port forwarding, packet filtering, and network address translation (NAT) to enhance network security and control.

Firstly, let’s check iptables list:

$ sudo iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j REDIRECT --to-ports 2525

Here, we can see the currently configured NAT rules in the iptables firewall configuration. In particular, we used -t nat to define the table to operate on, namely, NAT. Moreover, -S shows the current NAT rules in that table. If we find REDIRECT in the rules, port forwarding is enabled. Otherwise, port forwarding is not enabled.

Secondly, we’ll filter the list to port forwarding:

$ sudo iptables -t nat -S | grep REDIRECT
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j REDIRECT --to-ports 2525

Here, the pipe symbol | redirects the output of the previous command as input to the grep command. In this case, grep REDIRECT filters the output to only display lines that contain the keyword REDIRECT. Thus, we can see the port forwarding rules. For example, we forward incoming TCP connection port 25 to 2525.

Moreover, we can check specific protocols and ports:

$ sudo iptables -t nat -S | grep REDIRECT | grep -- "-p tcp" | grep -- "--dport 80"
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080

In this example, we used grep with “-p tcp” and “–dport 80”. This helps filter out only the lines that involve TCP traffic on a given port. As a result, we can see that port forwarding from port 80 to 8080.

3. Using UFW

UFW (Uncomplicated Firewall) is a user-friendly firewall utility that provides a simplified command-line interface for managing firewall rules.

With UFW, we can enable or disable firewall rules to control network traffic.

Let’s check the status of UFW:

$ sudo ufw show raw
IPV4 (raw):
...
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination 
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.211.55.5:8080
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 to:10.211.55.5:2525
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 to:10.211.55.5:4322

As we can see, we can find port forwarding rules in the Chain PREROUTING section. Moreover, we can check the /etc/ufw/before.rules configuration file to find port forwarding rules, since they are processed before other rules. If such rules don’t exist, it indicates that port forwarding is enabled.

4. Using firewalld

firewalld is a dynamic firewall management tool to manage network traffic and security rules. firewalld allows us to define and manage firewall zones, services, and ports.

Let’s check the current firewall rules:

$ sudo firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: ssh dhcpv6-client
  ports: 8080/tcp
  masquerade: no
  forward-ports:
    port=25:proto=tcp:toport=2525:toaddr=10.211.55.5

Here, we can look for the presence of a forward-ports section to check the port forwarding configuration. In this example, we forward traffic from SMTP port 25 to IP address 10.211.55.5 and port 2525. On the other hand, if we couldn’t find any port-forwarding rules, it suggests that port forwarding is not enabled.

5. Using nftables

nftables is a firewall implementation that provides efficient packet filtering and network address translation capabilities. We can also use nftables to define rules and tables to control network traffic and secure systems.

Let’s check the nftables rules setup:

$ sudo nft list ruleset
table ip nat {
  chain PREROUTING {
    type nat hook prerouting priority 0; policy accept;
    tcp dport 22 redirect to :22143
  }
}

To determine whether port forwarding is enabled, we can check for rules in the nat table’s PREROUTING chain that involve redirecting or forwarding traffic from one port to another port. Port forwarding is enabled if such rules are present; otherwise, port forwarding isn’t enabled.

6. Conclusion

Checking the port forwarding configuration can be vital for maintaining efficient network communication and ensuring access to services.

In this article, we’ve discussed different methods to perform this task, focusing on the steps required for each firewall configuration. Moreover, we’ve learned by examining firewall rules, specific chains, or tables related to port forwarding, we can determine if the necessary configurations are in place.

Comments are open for 30 days after publishing a post. For any issues past this date, use the Contact form on the site.