Learning Center
Linux

Port Forwarding in Linux with Iptables

9 Apr 2025
Hostman Team
Hostman Team

Have you ever hosted a server (game or web) on your home computer and shared your IP address with friends, but no one could connect?

The issue lies in your router, which hides connected devices behind its own IP address. Everything within the router is a local network, while everything outside is a global network. However, there is no direct mediator between them, only a barrier preventing external connections.

The solution is port forwarding, a technology that directs external requests to an internal device and vice versa. In Linux operating systems, the iptables utility is used for this purpose, which will be the focus of this article.

And if you’re looking for a reliable, high-performance, and budget-friendly solution for your workflows, Hostman has you covered with Linux VPS Hosting options, including Debian VPS, Ubuntu VPS, and VPS CentOS.

The commands shown in this guide were executed on a Hostman cloud server running Ubuntu 22.04.

What Is Port Forwarding?
Copy link

Port forwarding (also known as port mapping) redirects network traffic from one port to another, either through a router (hardware-level) or a firewall (software-level).

With port forwarding, devices within a local network become accessible from the global network. Without it, external requests cannot reach internal devices.

Common scenarios where port forwarding is needed:

  • Connecting to a home server (game server, surveillance cameras, data storage).
  • Hosting game servers or websites on a home PC.
  • Accessing a remote desktop.
  • Remote device management.

For example, if a server in a local network operates on port 8080, port forwarding allows it to be accessed from the global network through port 80.

Example Setup:

  1. A computer with IP 192.168.1.100 (internal/gray IP) runs a web server listening on port 8080.
  2. The computer is within a Wi-Fi router’s local network, which has an external IP 203.0.113.10 (public/white IP), listening on port 80.
  3. All global network requests to port 80 on the router are forwarded to port 8080 on the internal computer.

This setup allows us to redirect incoming traffic from the global network to the local network.

How Does Port Forwarding Work in Linux?
Copy link

Linux has built-in tools for handling incoming and outgoing traffic. These tools act as a packet filtering and modification pipeline.

Port forwarding in Linux is based on NAT (Network Address Translation), configured using the iptables system utility.

What Is NAT?
Copy link

NAT (Network Address Translation) is a technique that converts external requests from the global network into internal requests within the local network (and vice versa).

Technically, NAT modifies IP addresses and ports in data packets. It is not a standalone utility but a concept or approach.

There are two main types of NAT:

  • SNAT (Source NAT) – Modifies the source IP address in outgoing packets.
  • DNAT (Destination NAT) – Modifies the destination IP address in incoming packets.

While NAT protects the local network from external access, it requires port forwarding for incoming connections.

What Is Iptables and How Does It Work?
Copy link

Iptables is a Linux utility used to configure NAT (and more) by modifying tables with rule chains that control traffic.

Iptables has five main rule chains:

  • INPUT – Handles incoming packets.
  • FORWARD – Handles forwarded packets.
  • OUTPUT – Handles outgoing packets.
  • PREROUTING – Handles packets before routing.
  • POSTROUTING – Handles packets after routing.

Iptables has five tables, each using specific rule chains:

  • filter – Allows or blocks packets (INPUT, FORWARD, OUTPUT).
  • nat – Modifies IP addresses and ports (OUTPUT, PREROUTING, POSTROUTING).
  • mangle – Alters packet headers (INPUT, FORWARD, OUTPUT, PREROUTING, POSTROUTING).
  • raw – Controls connection filtering (OUTPUT, PREROUTING).
  • security – Applies additional security policies (INPUT, FORWARD, OUTPUT).

The rule chains act as hooks in the packet processing pipeline, allowing iptables to implement port forwarding in Linux.

How Port Forwarding Works in Iptables
Copy link

Port forwarding in iptables follows a standard packet processing flow based on three possible directions:

  • Incoming (INPUT) – Packets sent to the local system.
  • Outgoing (OUTPUT) – Packets sent from the local system.
  • Forwarded (FORWARD) – Packets routed through the system.

Incoming Packets (INPUT) Processing Order

  1. raw (PREROUTING) – Connection filtering.
  2. mangle (PREROUTING) – Packet modification.
  3. nat (PREROUTING) – Changes the destination address.
  4. If the packet is for this system, continue to INPUT processing. Otherwise, forward it.
  5. mangle (INPUT) – Final packet modification.
  6. filter (INPUT) – Packet filtering.
  7. security (INPUT) – Security policy enforcement.

Outgoing Packets (OUTPUT) Processing Order

  1. raw (OUTPUT) – Connection filtering.
  2. mangle (OUTPUT) – Packet modification.
  3. nat (OUTPUT) – Changes the destination address.
  4. filter (OUTPUT) – Final packet filtering.
  5. security (OUTPUT) – Security policy enforcement.
  6. mangle (POSTROUTING) – Final packet modification.
  7. nat (POSTROUTING) – Changes the source address.

Forwarded Packets (FORWARD) Processing Order

  1. raw (PREROUTING) – Connection filtering.
  2. mangle (PREROUTING) – Packet modification.
  3. nat (PREROUTING) – Changes the destination address.
  4. Forwarding decision is made.
  5. mangle (FORWARD) – Packet modification.
  6. filter (FORWARD) – Packet filtering.
  7. security (FORWARD) – Security policy enforcement.
  8. mangle (POSTROUTING) – Final packet modification.
  9. nat (POSTROUTING) – Changes the source address.

General Processing Order of Tables:

  1. raw
  2. mangle
  3. nat
  4. filter
  5. security

Types of Port Forwarding
Copy link

Common types of port forwarding include:

  1. Local Forwarding – Redirects traffic within the same machine. Example: An application on a local server sends a request to a specific port.
  2. Interface Forwarding – Redirects traffic between different network interfaces. Example: A packet from the global network arrives on one interface and is forwarded to another.
  3. Remote Host Forwarding – Redirects traffic from a remote server to a local host. Example: A request from a remote server is forwarded to a local machine.

Each type of port forwarding is implemented using a specific set of rules in the iptables tables.

Using the Iptables Command
Copy link

In most Linux distributions, the iptables utility is already installed. You can check this by querying its version:

iptables --version

If iptables is not installed, you need to install it manually. First, update the package list:

sudo apt update

Then, install it:

sudo apt install iptables -y

By default, Linux uses the ufw firewall, which automatically configures iptables. To avoid conflicts, you must stop the ufw service first:

sudo systemctl stop ufw

Then, disable it:

sudo systemctl disable ufw

Iptables Command Structure
Copy link

The basic syntax of the iptables command is as follows:

iptables [TABLE] [COMMAND] [CHAIN] [NUMBER] [CONDITION] [ACTION]

In each specific command, only some of these parameters are used:

  • TABLE: The name of one of the five tables where the rule is added.
  • COMMAND: The operation to perform on a specific rule or chain.
  • CHAIN: The name of the chain where the operation is performed.
  • NUMBER: The rule number to manipulate.
  • CONDITION: The condition under which the rule applies.
  • ACTION: The transformation to be applied to the packet.

Selecting a Table
Copy link

The -t flag specifies the table to operate within:

For filter:

iptables -t filter

For nat:

iptables -t nat

For mangle:

iptables -t mangle

For raw:

iptables -t raw

For security:

iptables -t security

If the -t flag is not specified, the default table is filter. The security table is rarely used.

Manipulating Rules
Copy link

We can perform different operations on rules within each chain:

Add a rule to the end of a chain (-A):

iptables -A INPUT -s 192.168.123.132 -j DROP

This rule blocks incoming connections from the specified IP address.

Delete a rule by its number (-D):

iptables -D OUTPUT 7

Insert a rule at a specific position (-I):

iptables -I INPUT 5 -s 192.168.123.132 -j DROP

Replace a rule (-R):

iptables -R INPUT 5 -s 192.168.123.132 -j ACCEPT

This replaces a previously added blocking rule with an allow rule.

Flush all rules in a chain (-F):

iptables -F INPUT

Manipulating Chains
Copy link

We can also perform operations on entire chains:

Create a new chain (-N):

iptables -N SOMENAME

Delete a chain (-X):

iptables -X SOMENAME

Rename a chain (-E):

iptables -E SOMENAME NEWNAME

Set default policy for a chain (-P):

iptables -P INPUT DROP

This blocks all incoming connections to the server.

Reset statistics for a chain (-Z):

iptables -Z INPUT

Setting Conditions
Copy link

Each rule can have conditions for its execution:

Specify the protocol (-p):

iptables -A INPUT -p tcp -j ACCEPT

This allows incoming connections using the TCP protocol.

Specify the source address (-s):

iptables -A INPUT -s 192.168.123.132 -j DROP

Specify the destination address (-d):

iptables -A OUTPUT -d 192.168.123.132 -j DROP

Specify network interface for incoming traffic (-i):

iptables -A INPUT -i eth2 -j DROP

Specify network interface for outgoing traffic (-o):

iptables -A OUTPUT -o eth3 -j ACCEPT

Specify the destination port (--dport):

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Specify the source port (--sport):

iptables -A INPUT -p tcp --sport 1023 -j DROP

Negate a condition (!):

iptables -A INPUT ! -s 192.168.123.132 -j DROP

This blocks all incoming connections except from the specified IP address.

Specifying Actions
Copy link

Each table supports different actions:

For the filter table:

  • ACCEPT – Allow the packet.
  • DROP – Block the packet.
  • REJECT – Block the packet and send a response.
  • LOG – Log packet information.
  • RETURN – Stop processing in the current chain.

For the nat table:

  • DNAT – Change the packet’s destination address.
  • SNAT – Change the packet’s source address.
  • MASQUERADE – Change the source address dynamically.
  • REDIRECT – Redirect traffic to the local machine.

Port Forwarding with Iptables
Copy link

Local Port Forwarding
Copy link

To redirect local traffic from one port to another:

sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j REDIRECT --to-port 80

To remove the rule:

sudo iptables -t nat -D PREROUTING -p tcp --dport 8080 -j REDIRECT --to-port 80

Forwarding Between Interfaces
Copy link

To forward port 8080 from interface eth0 to port 80 on eth1:

sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 10.0.0.100:80

Then, allow packet forwarding:

sudo iptables -A FORWARD -p tcp -d 10.0.0.100 --dport 80 -j ACCEPT

Forwarding to a Remote Host
Copy link

To forward incoming packets to a remote server:

Enable packet forwarding in the system settings:

echo 1 > /proc/sys/net/ipv4/ip_forward

Add a port forwarding rule:

sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.100:80

Allow forwarded packets to be sent out:

sudo iptables -t nat -A POSTROUTING -p tcp -d 192.168.1.100 --dport 80 -j MASQUERADE

Alternatives to iptables for Port Forwarding
Copy link

It should be noted that iptables is not the only tool for traffic management. There are several popular alternatives.

nftables
Copy link

nftables is a more modern tool for managing traffic in Linux. Unlike iptables, it does not have predefined tables, and its syntax is more straightforward and concise.

Additionally, this utility uses a single command, nft, to manage all types of traffic: IPv4, IPv6, ARP, and Ethernet. In contrast, iptables requires additional commands such as ip6tables, arptables, and ebtables for these tasks.

firewalld
Copy link

firewalld is a more complex traffic management tool in Linux, built around the concept of zones and services. This allows network resources to be assigned different levels of security.

The configuration of firewalld is broader and more flexible. For example, instead of manually defining rules for each port, we can specify specific services.

Additionally, firewalld provides a more interactive command-line interface, allowing real-time traffic management.

Conclusion
Copy link

While there are alternatives, iptables remains the primary tool for traffic control in Linux. It provides a structured way to filter, modify, and forward packets, making it a powerful solution for managing network traffic.