Set up a Port Forward Using UFW

Last updated: March 18, 2024

Reviewed by: Luis Javier Peris
Black Friday 2025 – NPI EA (cat = Baeldung on Linux)
announcement - icon

Yes, we're now running our Black Friday Sale. All Access and Pro are 33% off until 2nd December, 2025:

>> EXPLORE ACCESS NOW

Baeldung Pro – Linux – NPI EA (cat = Baeldung on Linux)
announcement - icon

Learn through the super-clean Baeldung Pro experience:

>> Membership and Baeldung Pro.

No ads, dark-mode and 6 months free of IntelliJ Idea Ultimate to start with.

Partner – Orkes – NPI EA (tag=Kubernetes)
announcement - icon

Modern software architecture is often broken. Slow delivery leads to missed opportunities, innovation is stalled due to architectural complexities, and engineering resources are exceedingly expensive.

Orkes is the leading workflow orchestration platform built to enable teams to transform the way they develop, connect, and deploy applications, microservices, AI agents, and more.

With Orkes Conductor managed through Orkes Cloud, developers can focus on building mission critical applications without worrying about infrastructure maintenance to meet goals and, simply put, taking new products live faster and reducing total cost of ownership.

Try a 14-Day Free Trial of Orkes Conductor today.

1. Introduction

While we can enable various UFW firewall rules using commands, things are a bit different when setting up port forwarding. Nevertheless, the steps are straightforward.

In this tutorial, we’ll go over the steps to activate packet forwarding and set up a port forward using UFW.

2. Enabling Packet Forwarding

Before we configure UFW to allow port forwarding, we must enable packet forwarding. We can do this through any of:

  • the UFW network variables file: /etc/ufw/sysctl.conf
  • the system variables file: /etc/sysctl.conf

In this tutorial, we’ll use the UFW network variables file since UFW prioritizes it over the system variables file.

To enable packet forwarding, let’s open /etc/ufw/sysctl.conf:

$ sudo nano /etc/ufw/sysctl.conf

After that, let’s uncomment net/ipv4/ip_forward=1.

If we have access to the root user, we can enable packet forwarding on /etc/ufw/sysctl.conf by running:

# echo 'net/ipv4/ip_forward=1' >> /etc/ufw/sysctl.conf

This command basically appends the uncommented packet forwarding string to the /etc/ufw/sysctl.conf file.

3. Configuring Port Forwarding on UFW

We can configure UFW to forward traffic from an external port to an internal port. If we have to, we can also set it up to forward traffic from an external port to a server listening on a specific internal port.

3.1. Port Forwarding From an External Port to an Internal Port

To set up a port forward on UFW, we must edit the /etc/ufw/before.rules file:

$ sudo nano /etc/ufw/before.rules

In the before.rules file, let’s add a NAT table after the filter table (the table that starts with *filter and ends with COMMIT):

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 500
COMMIT

This NAT table will redirect incoming traffic from the external port (80) to the internal port (500). Of course, we can adjust the table to forward traffic from any other external port to any other internal port.

Now that we’ve saved the NAT table to the before.rules file, let’s allow traffic through the internal port since we didn’t do that before:

$ sudo ufw allow 500/tcp
Rule added
Rule added (v6)

Lastly, let’s restart UFW:

$ sudo systemctl restart ufw

3.2. Port Forwarding From an External Port to a Server Listening on a Specific Internal Port

We can forward incoming traffic from an external port to a server listening on a specific internal port using the same steps as above. However, we’ll use a different NAT table for this purpose:

*nat :PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -i eth0 --dport 443 -j DNAT \ --to-destination 192.168.56.9:600
COMMIT

Unlike the other table, this redirects incoming traffic from port 443 (external port) to 192.168.56.9 (the server) listening on port 600 (internal port). As we did before, we’ll ensure that we allow traffic through the internal port.

4. Conclusion

In this article, we discussed how to enable port forwarding on UFW. We covered port forwarding from an external port to an internal port. Afterward, we went over the NAT table for port forwarding to a server listening on a specific internal port.

While we used the UFW network variables file to enable packet forwarding, we could’ve also worked with the system variable file. To do that, we would’ve modified the value of the IP_SYSCTL variable in the /etc/default/ufw file, changing it from its default value to /etc/sysctl.conf.

2 Comments
Oldest
Newest
Inline Feedbacks
View all comments