Port forwarding
From Wikipedia, the free encyclopedia
This article or section needs copy editing for grammar, style, cohesion, tone or spelling. You can assist by editing it now. A how-to guide is available. (March 2008) |
Sections should be added to this article, to conform with Wikipedia's Manual of Style. Please discuss this issue on the talk page. |
Port forwarding (sometimes referred to as tunneling) is the act of forwarding a network port from one network node to another. This technique can allow an external user to reach a port on a private IP address (inside a LAN) from the outside via a NAT-enabled router.
Contents |
[edit] Purposes
Port forwarding allows remote computers (e.g. public machines on the Internet) to connect to a specific computer within a private LAN.
For example:
- forwarding port 80 to run an HTTP webserver
- forwarding port 22 to allow Secure Shell access
- forwarding port 21 to allow FTP access
Modern Linux machines achieve this by adding iptables rules to the nat table: with target DNAT to the PREROUTING chain, and/or with target SNAT in the POSTROUTING chain.
BSD and Mac OS X machines use a similar tool named ipfw. The ipfw tool is likely already running as a built-in part of the operating system's kernel.
Some common caveats with port forwarding include:
- The need to forward the packets that come to the router's forwarded port as well as the need to rewrite them so that the machine to which the port is forwarded can reply to the original source address, which in turn leads to the inability of the destination (private) machine to see the actual originator of the forwarded packets, and instead see them as if originating from the router
- Only one networked machine can use a specific forwarded port at one time
- Traditional port forwarding allows the entire world access to the forwarded port, slightly reducing network security
Port forwarding can also be used within a single machine. Port forwarding is necessary for a standalone computer if any of the following conditions are true:
- The computer is using a shared IP address.
- Internet Connection Sharing is enabled.
- A router is being used with NAT enabled.
In a typical home networking setup, internet access is through a DSL or Cable modem. That modem may be connected to a router, which is then connected to the networked computers by Ethernet or WiFi. The router is the device that the Internet sees; it holds the public IP address. The computers behind the router, on the other hand, are invisible to the Internet as they hold a local IP address each. Port forwarding is necessary in the router because computers will send information directed to the public IP address and the router needs to know where to send that information.
Port forwarding is commonly done on Unix computers where port numbers numbered below 1024 can only be accessed by software running as the root user. Running as root can be a security risk, so some people use port forwarding to redirect incoming traffic from a low numbered port to software listening on a higher port. For example, a web server may be listening on a port such as 8080 for traffic redirected from the restricted port 80. A port may be forwarded for use by either the TCP protocol, the UDP protocol, or both.
[edit] Double port forwarding
Double port forwarding can be done on a network with multiple routers. From the first router, ports from the public IP address are forwarded to another router/gateway's external IP address which in turn forwards them on to a host on the private network. [1]
[edit] Reverse port forwarding
Reverse port forwarding, or reverse port tunnelling, is done by two components, usually software-based, where one component acts as a session-server - listening on a session-port, while the other component acts as a session-client to the session-server component - connecting to the session-server. After a session is established, the session-server will often listen on (accept connections on) a port that is to be forwarded, and when a connection is made to this port, the connection traffic will be forwarded to the session-client (through the session-connection that was previously initiated by the session-client), usually with a destination of the session-client machine or another machine accessible from the session-client. A common situation where this type of forwarding is used is where a port needs to be accessed that is on a machine located behind a gateway/router or firewall that is not configurable by those wanting to access that port. This functionality is built-in to some implementations of SSH (Secure Shell), and there are also software systems available that are designed more specifically for this type of forwarding.
[edit] See also
[edit] References
[edit] External links
- portforward.com - A large howto and resource site on port forwarding
- portwiki.net - A 'wiki-style' resource with port listings and guides for router and firewall port forwarding.
[edit] Reverse port forwarding systems
- PortImport - Reverse port forwarding software for Windows