Port forwarding

From Wikipedia, the free encyclopedia

You have new messages (last change).
It has been suggested that this article or section be merged with Port address translation. (Discuss)
It is common to configure port forwarding on routers over a web interface. Here, the user is configuring port forwarding for a Conexant router using the Konqueror web browser. 10.0.0.3 and 10.0.0.5 are the private IPs on the LAN.
It is common to configure port forwarding on routers over a web interface. Here, the user is configuring port forwarding for a Conexant router using the Konqueror web browser. 10.0.0.3 and 10.0.0.5 are the private IPs on the LAN.

Port forwarding (sometimes referred to as tunneling) is the act of forwarding a network port from one network node to another. This technique can allow an external user to reach a port on a private IP address (inside a LAN) from the outside via a NAT-enabled router.

Port forwarding allows remote computers (e.g. public machines on the Internet) to connect to a specific computer within a private LAN.

For example:

  • forwarding port 8000 on the router to a user's machine allows SHOUTcast streaming
  • forwarding ports 5000 through 6000 to a user's machine allows the use of Unreal Tournament
  • forwarding ports 80 or 443 to run a webserver
  • forwarding port 22 to allow Secure Shell access
  • forwarding port 3728 to allow GigaTribe access

Modern Linux machines achieve this by adding iptables rules to the nat table: with target DNAT to the PREROUTING chain, and/or with target SNAT in the POSTROUTING chain.

BSD and Mac OS X machines use a similar tool named ipfw. The ipfw tool is likely already running as a built-in part of your operating system's kernel.

Some common caveats with port forwarding include:

  • The need to forward the packets that come to the router's forwarded port as well as the need to rewrite them so that the machine to which the port is forwarded to can reply to the original source address, which in turn leads to the inability of the destination (private) machine to see the actual originator of the forwarded packets, and instead see them as if originating from the router
  • Only one networked machine can use one forwarded port at one time
  • Traditional port forwarding allows the entire world access to the forwarded port, reducing network security slightly

[edit] Single Computer

Port forwarding can also be used within a single machine. Port forwarding is necessary for a standalone computer if any of the following conditions are true:

  • The computer is using a shared IP address
  • Internet Connection Sharing is enabled
  • A router is being used

In a typical home networking setup, internet access is through a DSL or Cable modem. That modem may be connected to a router, which is then connected to the networked computers by Ethernet or WiFi. The router is the device that the Internet sees; it holds the public IP address. The computer behind the router, on the other hand, is invisible to the Internet as it holds a local IP address. Port forwarding is necessary in the router because computers will send information directed to the public IP address and the router needs to know where to send that information.

Port forwarding is commonly done on Unix-derived computers where port numbers numbered below 1024 can only be accessed by software running as the root user. Running as root can be a security risk, so some people use port forwarding to redirect incoming traffic from a low numbered port to software listening on a higher port. For example, a web server may be listening on a port such as 8080 for traffic redirected from the restricted port 80.

[edit] See also

[edit] External links

Retrieved from "http://en.wikipedia.org../../../p/o/r/Port_forwarding.html"