Let's examine two common port forwarding scenarios on Debian systems:
# Redirect from local port 1234 to another machine's port 80
iptables -t nat -A PREROUTING -p tcp --dport 1234 -j DNAT --to-destination 192.168.57.25:80
iptables -t nat -A POSTROUTING -p tcp -d 192.168.57.25 --dport 80 -j SNAT --to-source 192.168.57.28
echo 1 > /proc/sys/net/ipv4/ip_forwardKey points about this configuration:
- The DNAT rule changes the destination before routing occurs
- The SNAT rule ensures return traffic goes back through our gateway
- IP forwarding must be enabled for the machine to act as a router
For the ppp0 dynamic IP scenario:
# Forward traffic coming in via ppp0 to internal server
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 1234 -j DNAT --to-destination 192.168.57.25:80
iptables -t nat -A POSTROUTING -o eth3 -p tcp -d 192.168.57.25 --dport 80 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forwardIf your port forwarding isn't working, check these:
# Verify iptables rules
iptables -t nat -L -v -n
# Check if IP forwarding is enabled
cat /proc/sys/net/ipv4/ip_forward
# Test connectivity
nc -zv 192.168.57.28 1234
# Check kernel logs for packet drops
dmesg | grep DROPTo survive reboots, save your rules:
# For Debian-based systems
apt install iptables-persistent
iptables-save > /etc/iptables/rules.v4
# Enable IP forwarding permanently
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -pFor more complex scenarios with multiple ports:
# Forward multiple ports to internal web server
iptables -t nat -A PREROUTING -p tcp --dport 1234 -j DNAT --to-destination 192.168.57.25:80
iptables -t nat -A PREROUTING -p tcp --dport 1235 -j DNAT --to-destination 192.168.57.25:443
iptables -t nat -A POSTROUTING -p tcp -d 192.168.57.25 -m multiport --dports 80,443 -j MASQUERADEPort forwarding is essential when you need to redirect network traffic from one IP:port combination to another. In Debian, this is typically handled using iptables, the built-in firewall tool. Let's examine two common scenarios:
For redirecting traffic from 192.168.57.28:1234 to 192.168.57.25:80 on the same network interface (eth3), you need these iptables rules:
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# DNAT rule for port redirection
iptables -t nat -A PREROUTING -p tcp -i eth3 --dport 1234 -j DNAT --to-destination 192.168.57.25:80
# Masquerade rule for return traffic
iptables -t nat -A POSTROUTING -p tcp -d 192.168.57.25 --dport 80 -j MASQUERADE
# Accept forwarded traffic
iptables -A FORWARD -p tcp -d 192.168.57.25 --dport 80 -j ACCEPT
When dealing with multiple interfaces (like eth3 and ppp0), especially with a dynamic IP, you need to modify the approach:
# Enable IP forwarding
sysctl -w net.ipv4.ip_forward=1
# DNAT rule for ppp0 interface
iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 1234 -j DNAT --to-destination 192.168.57.25:80
# Masquerade rule specific to ppp0
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Forwarding rule for the destination
iptables -A FORWARD -i ppp0 -o eth3 -p tcp --dport 80 -d 192.168.57.25 -j ACCEPT
After applying these rules, verify them with:
iptables -t nat -L -n -v
iptables -L -n -v
Also check the connection state:
conntrack -L
To ensure rules persist after reboot:
apt install iptables-persistent
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6
If forwarding isn't working:
- Verify IP forwarding is enabled:
cat /proc/sys/net/ipv4/ip_forward - Check interface names match your system
- Ensure no other firewall rules are blocking traffic
- Test connectivity to the destination server directly
For complex scenarios, you might need additional rules:
# Allow ESTABLISHED,RELATED connections
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Rate limiting for security
iptables -A FORWARD -p tcp --dport 80 -m limit --limit 100/minute -j ACCEPT
Remember that iptables rules are processed in order, so sequence matters when adding multiple rules.