How to Configure Port Forwarding with UFW Firewall for Tomcat HTTP Traffic (Port 80 to 8080)


2 views

While UFW (Uncomplicated Firewall) is primarily known for its simple firewall rule management, it can indeed handle port forwarding through its underlying iptables integration. For developers needing to redirect HTTP traffic (port 80) to Tomcat (port 8080) on the same machine, UFW provides a clean solution.

Ensure your system meets these requirements:

  • UFW is installed (sudo apt install ufw on Debian/Ubuntu)
  • IP forwarding is enabled in sysctl (net.ipv4.ip_forward=1)
  • You have sudo privileges
  • Tomcat is running and listening on port 8080

First, enable UFW if not already active:

sudo ufw enable

Then configure the port forwarding rules:

# Allow incoming HTTP traffic
sudo ufw allow 80/tcp

# Set up NAT forwarding
sudo ufw route allow in on eth0 proto tcp from any to any port 80
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

Since iptables rules don't persist after reboot by default, create a UFW configuration file:

sudo nano /etc/ufw/before.rules

Add these lines before the *filter section:

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
COMMIT

Check if the rules are active:

sudo iptables -t nat -L
sudo ufw status verbose

Test the forwarding by making an HTTP request to your server's port 80 and verifying it reaches Tomcat on 8080.

For developers running Tomcat in Docker, modify the rules:

sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 172.17.0.2:8080
sudo iptables -t nat -A POSTROUTING -j MASQUERADE
  • If forwarding doesn't work, check if UFW is allowing port 80: sudo ufw status
  • Verify Tomcat is bound to 0.0.0.0:8080, not just 127.0.0.1
  • Check system logs: journalctl -u ufw

UFW (Uncomplicated Firewall) is Ubuntu's frontend for iptables that simplifies firewall configuration. While UFW excels at basic firewall rules, it doesn't have native port forwarding commands. However, we can achieve port forwarding by combining UFW with underlying iptables rules.

Before proceeding, ensure:

  • UFW is installed (sudo apt install ufw)
  • You have sudo privileges
  • IP forwarding is enabled in sysctl (net.ipv4.ip_forward=1)

Here's how to forward port 80 to 8080 for Tomcat:


# First, enable UFW if not already enabled
sudo ufw enable

# Allow incoming traffic on both ports
sudo ufw allow 80/tcp
sudo ufw allow 8080/tcp

# Add the port forwarding rule
sudo nano /etc/ufw/before.rules

Add these lines before the *filter section:


*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
COMMIT

To ensure rules persist after reboot:


# Edit UFW's main configuration
sudo nano /etc/default/ufw

# Change DEFAULT_FORWARD_POLICY to:
DEFAULT_FORWARD_POLICY="ACCEPT"

After applying changes, restart UFW:

sudo ufw disable && sudo ufw enable

Test the forwarding:

curl http://localhost

You should see your Tomcat response (on port 8080) when accessing port 80.

For more complex scenarios:

  • Use -i eth0 to specify interface
  • Combine with IP restrictions using -s source_ip
  • For multiple forwards, add additional -A PREROUTING lines

If forwarding doesn't work:


# Check kernel forwarding is enabled
cat /proc/sys/net/ipv4/ip_forward

# Verify rules are active
sudo iptables -t nat -L -n -v

# Check UFW status
sudo ufw status verbose