1. Introduction

Port redirection is a powerful technique that allows us to control and manage network traffic by redirecting one port to another. Port redirection offers benefits such as enhanced security, remote access capabilities flexibility, and efficient traffic routing to different applications or services.

In this tutorial, we’ll delve into port redirection and explore various methods to implement it on a Linux machine. We’ll discuss different tools and methods, including iptables, firewalld, and others. Furthermore, we’ll see code examples with details for each method.

2. Environment and Result Verification

For the methods below to work both within and outside our network, we’ll need to enable packet forwarding:

$ sudo echo 1 > /proc/sys/net/ipv4/ip_forward

Notably, it’s not advisable to use multiple port redirection methods simultaneously as this can cause conflicts and unexpected behavior.

For each method, we can verify port redirection via nc:

$ nc -l -p 8080

Here, the nc command listens on port 8080. We used -l for listening and -p to define our port.

Now, we’ll open a new terminal and send a message to the redirected port 80:

$ echo "Test message" | nc localhost 80

In this example, we sent our test message to the local machine on port 80. If port redirection between ports 80 and 8080 is properly configured, the redirected message will be received at the nc server end port 8080.

3. Using iptables

iptables is a powerful firewall tool that allows us to control network traffic. Moreover, we can use iptables for port redirection by changing the network packets as they pass through the Linux kernel’s networking stack.

Firstly, we’ll install iptables via apt-get:

$ sudo apt-get install iptables

Secondly, we’ll use the PREROUTING chain with the NAT table:

$ iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

In this case, we redirect incoming TCP traffic from port 80 to port 8080:

  • -t nat points to the NAT table, responsible for network address translation
  • -A PREROUTING appends the rule to the PREROUTING chain
  • -p tcp applies the rule to TCP traffic
  • –dport 80 sets the forwarded port as 80
  • -j REDIRECT ensures we have the correct action for the packets
  • –to-port 8080 sets the forward port as 8080

Finally, we’ll save the iptables configuration:

$ sudo su -c 'iptables-save > /etc/iptables/iptables.rules'

In this example, we switch to the root user and execute the iptables-save command to save the current iptables rules into the iptables.rules file.

4. Using socat

socat is a versatile tool for data transfer and networking. It enables communication between different endpoints like sockets, files, or processes. We can use socat for port redirection as well.

First, let’s install socat:

$ sudo apt-get install socat

Then, we’ll use the tool to define a rule:

$ sudo socat TCP-LISTEN:80,fork TCP:localhost:8080

After running socat with this rule, it listens on port 80 and redirects the traffic to port 8080.

Here, we used several options:

  • TCP-LISTEN:80 sets the source port on which socat listens for incoming connections to 80
  • fork allows socat to handle multiple connections
  • TCP:localhost:8080 redirects the traffic to the selected destination port on the local machine

Now, we can achieve flexible and efficient redirection of network traffic to the desired ports on the local machine.

Since socat doesn’t automatically continue the port redirection setting, we can create a startup script to ensure the setting is started at the system boot.

So, we’ll create a service file:

$ cat /etc/systemd/system/socat-port-forward.service

[Unit]
Description=Socat Port Forwarding
After=network.target

[Service]
ExecStart=/usr/bin/socat TCP-LISTEN:80,fork TCP:localhost:8080

[Install]
WantedBy=multi-user.target

In this sample service file, we defined several options:

  • Description – short description of the service
  • After – specifies that the service should start after the network is up
  • ExecStart – command to be executed when the service is started
  • WantedBy – service should be enabled and started when the system reaches the multi-user target

Now, we’ll set the proper unit file permissions with chmod:

$ chmod 644 socat-port-forward.service

This command sets the file permissions as follows:

  • 6 – read and write for the owner of the file
  • 4 – read-only for the group that owns the file
  • 4 – read-only for others, everyone else

Then, we can enable the service start at boot time:

$ sudo systemctl enable socat-port-forward

Finally, we can start the service manually:

$ sudo systemctl start socat-port-forward

The service should now be active, and should automatically start at system startup, persisting the redirection.

5. Using UFW

UFW (Uncomplicated Firewall) is a tool for managing firewall rules in Linux. Moreover, UFW provides a simplified interface to iptables and allows us to configure port redirection. By defining UFW rules, we can redirect network traffic from one port to another.

Firstly, we’ll install UFW:

$ sudo apt install ufw

Secondly, we’ll enable UFW:

$ sudo ufw enable

Thirdly, we allow incoming connections to our forwarded port:

$ sudo ufw allow 80

Now, we’ll set up a rule:

$ sudo ufw route allow from any port 80 to 127.0.0.1 port 8080

Here, we allow port 80 traffic to be redirected to port 8080 on the localhost:

  • route allow – specifies that we want to create a routing rule
  • from any – allow any source host and IP
  • 80 – incoming traffic on port 80
  • to 127.0.0.1 – sets the destination IP address as localhost
  • port 8080 – traffic should be redirected to port 8080

Finally, we’ll save the rule:

$ sudo su -c 'ufw export save > /etc/ufw/user.rules'

This way, we ensure the action persists after a system restart.

6. Using firewalld

firewalld is a full-fledged firewall for Linux systems. firewalld provides an interface to configure and manage firewall rules. Besides, firewalld supports port redirection and allows specific network ports to be redirected to one another.

First, we’ll install firewalld using apt:

$ sudo apt install firewalld

Now, we’ll start the firewalld service:

$ sudo systemctl start firewalld

Then, let’s enable firewalld to start on boot:

$ sudo systemctl enable firewalld

Next, we’ll allow incoming connections:

$ sudo firewall-cmd --zone=public --add-port=80/tcp

In this example, we used –zone to set the firewall zone in which the rule should be applied to public. Moreover, by using –add-port we added a rule to allow incoming traffic on port 80 using the TCP protocol.

Then, we can set up port redirection:

$ sudo firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=127.0.0.1

Here, we used several options:

  • –zone specifies the firewall zone in which the rule should be applied
  • –add-forward-port adds a port forwarding rule
  • port=80 sets the forwarded port that we redirect from as 80
  • proto=TCP sets the TCP protocol for the rule
  • toport=8080 sets the forward port that we’re redirecting to as 8080
  • toaddr=127.0.0.1 configures the destination address to which the traffic should be redirected

Then, we’ll save the firewalld setting via the –runtime-to-permanent option:

$ sudo firewall-cmd --runtime-to-permanent

At this point, we’ve redirected port 80 to 8080, and the redirection remains after a restart.

7. Using nftables

nftables is a packet-filtering framework for Linux. It allows fine-grained control over network traffic using rules and tables. Moreover, with nftables, we can configure port redirection. This is achieved by defining rules that redirect incoming traffic from one port to another on the local machine.

First, let’s install nftables:

$ sudo apt install nftables

Then, we’ll start the nftables service:

$ sudo systemctl start nftables

Next, we’ll enable nftables to start on boot:

$ sudo systemctl enable nftables

Now, we’ll create the forward.nft setting file:

$ cat forward.nft
table ip nat {
    chain PREROUTING {
        type nat hook prerouting priority 0;
        tcp dport 80 dnat to 127.0.0.1:8080
    }
}

This setting sets up a NAT table in the ip family and defines a PREROUTING chain. Moreover, the TCP dport 80 rule matches incoming TCP traffic on port 80. Besides, the dnat to 127.0.0.1:8080 action redirects the port 80 traffic to port 8080 on the local machine.

Finally, let’s process and apply the file contents as rules:

$ sudo nft -f forward.nft

Here, we used the -f option to set the following argument file that contains a set of nftables rules.

8. Conclusion

In this article, we used various methods to implement port redirection on Linux machines, including iptables, socat, UFW, firewalld, and nftables.

Firstly, we used iptables to change network packets and redirect traffic by using a chain in the NAT table. We also learned how to persist iptables rules across system reboots.

Next, with socat, we performed port redirection by listening to an exact port and redirection incoming traffic to another port. Besides, we created a system service to automatically initiate socat during system boot.

Also, UFW provided a simplified interface for setting port redirection via the definition of rules. We allowed incoming connections on defined ports and set port forwarding using the UFW route command.

Moreover, we saw that firewalld enabled port redirection by allowing us to define firewall zones and redirection rules.

Lastly, we explored nftables, a packet-filtering framework. We defined rules in a setting file to redirect incoming traffic between ports.

Now, we can effectively manage and control network traffic through port redirection on our Linux machine.

Comments are open for 30 days after publishing a post. For any issues past this date, use the Contact form on the site.