wiki.ipfire.org

The community-maintained documentation platform of IPFire

User Tools

Site Tools


configuration:firewall:rules:port-forwarding

Creating a Port-Forward Rule

Setting up port-forwarding is a very common task. This guide explains how to set up a port-forwarding rule really quickly. Please checkout out the firewall rules reference for further description.

Technical Background

A port-forward is another term for a Destination NAT. Packets that are received by the firewall can be transparently forwarded to a new destination. Setting up a port-forwarding rule requires an originating source and new destination to be specified, with optional protocol constraints to further refine the rule.

Rule Creation

To create a new port-forwarding rule, select » Firewall » Firewall Rules and press the “New rule” button. Source and destination ports can only be defined for protocols that uses ports, i.e. TCP or UDP.

Step 1: Source

Define the source from which the service you are forwarding to is accessible. Usually, you do not need to specify anything other than the defaults. Where practical, limit the possible source(s) by selecting a host, group of hosts or specific network.

Choose the following to forward a WAN / RED port to a single internal server.

  • Standard Networks: Any or RED

Step 2: NAT

As this is a NAT rule, check “Use Network Address Translation (NAT)” and select “Destination NAT (Port forwarding)”.

If you have public IP address space in the destination zone, you don't need to check the NAT checkbox, but make sure to select ACCEPT as rule action further down below.

Choose the following to forward a WAN / RED port to a single internal server.

  • Use Network Address Translation(NAT)
  • Destination Nat(Port Forwarding)
  • Firewall Interface = Automatic

Step 3: Destination

Now, you will need to pick the server to which you are going to forward packets to. You can either select it from the dropdown boxes or enter the IP address directly. Note, that the system must be part of a local network that is reachable from the firewall.

Choose the following to forward a WAN / RED port to a single internal server.

  • Destination address (IP address or network) = Set to the address of the target computer/server.

Step 4: Protocol

You will want to pick one or more services that you will forward to the server you just choose, but never select “All” here.

Use a preset if you cannot remember the port number or select a protocol from the dropdown menu and enter the destination port you need. If you want to use a different port externally, you may enter it in “External port (NAT)” or leave it empty.

Choose the following to forward a WAN / RED port to a single internal server.

  • Choose a protocol, TCP, UDP are the most common.
  • Source port: = Blank, This is the port the client was using to talk to you.
  • Destination port: = The port the server is listening to.
  • External port (NAT): The port number the rest of the world will talk to, normally “Blank” for the same port as Destination port.

Step 5: Done

We are almost done, now. Just make sure that you select the “ACCEPT” option, so that all packets that match your rule are accepted by the firewall and don't forget to add a descriptive remark.

Optionally, you may specify at which time the rule is active only. See Creating Firewall Rules (reference) for all about this feature.

Congratulations. You finally set up your port-forwarding!

Examples

configuration/firewall/rules/port-forwarding.txt · Last modified: 2018/09/01 20:28 by Jon