Set up a Port Forward Using UFW

Last updated: March 18, 2024

Reviewed by: Luis Javier Peris

1. Introduction

While we can enable various UFW firewall rules using commands, things are a bit different when setting up port forwarding. Nevertheless, the steps are straightforward.

In this tutorial, we’ll go over the steps to activate packet forwarding and set up a port forward using UFW.

2. Enabling Packet Forwarding

Before we configure UFW to allow port forwarding, we must enable packet forwarding. We can do this through any of:

  • the UFW network variables file: /etc/ufw/sysctl.conf
  • the system variables file: /etc/sysctl.conf

In this tutorial, we’ll use the UFW network variables file since UFW prioritizes it over the system variables file.

To enable packet forwarding, let’s open /etc/ufw/sysctl.conf:

$ sudo nano /etc/ufw/sysctl.conf

After that, let’s uncomment net/ipv4/ip_forward=1.

If we have access to the root user, we can enable packet forwarding on /etc/ufw/sysctl.conf by running:

# echo 'net/ipv4/ip_forward=1' >> /etc/ufw/sysctl.conf

This command basically appends the uncommented packet forwarding string to the /etc/ufw/sysctl.conf file.

3. Configuring Port Forwarding on UFW

We can configure UFW to forward traffic from an external port to an internal port. If we have to, we can also set it up to forward traffic from an external port to a server listening on a specific internal port.

3.1. Port Forwarding From an External Port to an Internal Port

To set up a port forward on UFW, we must edit the /etc/ufw/before.rules file:

$ sudo nano /etc/ufw/before.rules

In the before.rules file, let’s add a NAT table after the filter table (the table that starts with *filter and ends with COMMIT):

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 500
COMMIT

This NAT table will redirect incoming traffic from the external port (80) to the internal port (500). Of course, we can adjust the table to forward traffic from any other external port to any other internal port.

Now that we’ve saved the NAT table to the before.rules file, let’s allow traffic through the internal port since we didn’t do that before:

$ sudo ufw allow 500/tcp
Rule added
Rule added (v6)

Lastly, let’s restart UFW:

$ sudo systemctl restart ufw

3.2. Port Forwarding From an External Port to a Server Listening on a Specific Internal Port

We can forward incoming traffic from an external port to a server listening on a specific internal port using the same steps as above. However, we’ll use a different NAT table for this purpose:

*nat :PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -i eth0 --dport 443 -j DNAT \ --to-destination 192.168.56.9:600
COMMIT

Unlike the other table, this redirects incoming traffic from port 443 (external port) to 192.168.56.9 (the server) listening on port 600 (internal port). As we did before, we’ll ensure that we allow traffic through the internal port.

4. Conclusion

In this article, we discussed how to enable port forwarding on UFW. We covered port forwarding from an external port to an internal port. Afterward, we went over the NAT table for port forwarding to a server listening on a specific internal port.

While we used the UFW network variables file to enable packet forwarding, we could’ve also worked with the system variable file. To do that, we would’ve modified the value of the IP_SYSCTL variable in the /etc/default/ufw file, changing it from its default value to /etc/sysctl.conf.

2 Comments
Oldest
Newest
Inline Feedbacks
View all comments
Comments are open for 30 days after publishing a post. For any issues past this date, use the Contact form on the site.