1 month ago

How to Configure Port Forwarding to Create Internet-Connected Services « Null Byte :: WonderHowTo

Ports allow network in addition to internet-connected devices to interact using specified channels. While servers with dedicated IP addresses can connect directly to the internet in addition to make ports publicly available, a system behind a router on a local network may not be open to the rest of the web. To overcome This specific, port forwarding can be used to make these devices publicly accessible.

Networked services in addition to apps running on various devices make use of ports at specific numbers as a means to initiate connections in addition to establish communications. Different ports can be used simultaneously to easily separate in addition to parse different types of traffic or requests. Ports are generally associated with specific services, such of which a client can connect to a server on a specific port in addition to assume of which the server will accept a connection at of which port in addition to respond appropriately.

Some commonly used ports are shown below.

  • 21: FTP (File Transfer Protocol)
  • 22: SSH (Secure Shell)
  • 23: Telnet (Teletype Network)
  • 25: SMTP (Simple Mail Transfer Protocol)
  • 80 : HTTP (Hypertext Transfer Protocol)
  • 194: IRC (Internet Relay Chat)
  • 443: HTTPS (HTTP Secure)

If you are viewing This specific guide on the internet in addition to using a web browser, you’re probably connected using HTTPS, which operates over port 443.

While ports make of which simple to identify in addition to address specific requests, port-numbering conventions are a standard, not a rule. Ports can be used for whatever a person may choose to host on them, so long as the connection between the client in addition to server on a given port uses a consistent protocol.

In web browsers, non-standard HTTP ports can be specified following a colon at the end of an IP address or URL in order to attempt to load HTTP content over of which port. If a web server can be running on a local machine on port 8080 rather than the conventional port 80, of which could be possible to access This specific in a web browser by navigating to localhost:8080 or, although if either of the two aforementioned addresses were entered without the “:8080” suffix, the same page could not load.

While any open port should allow connection attempts, in order for these attempts to be made, a client device needs network access to the device. While This specific isn’t necessarily an issue for a server connected to the internet directly or a connection across a local area network, of which becomes problematic when one attempts to access a specific port on a device which can be protected by a router or firewall.

Don’t Miss: Use SSH Local Port Forwarding to Pivot into Restricted Networks

Most home or office networks are connected to the internet through a router. A router can be able to manage internet usage for a network in addition to centralize the traffic at one IP address. All requests in addition to packets are sent through the router before being distributed back to the respective devices which made the original requests. By default, routers do not handle incoming requests on specific ports. If one attempts to connect over SSH to a router, the router has no way to handle of which request, nor does of which know who on the network to forward the requests to. This specific problem can be solved by configuring port forwarding within the router.

Step 1: Identifying Your Router & Control Panel

Routers generally provide an HTTP administration panel on port 80. This specific control center can be accessed by using the local network IP of the router, or, in most cases. On Microsoft Windows, one can identify the location of the connected router or “Default Gateway” by opening a Command Prompt window in addition to running the command below.


On Linux in addition to macOS, the same can be accomplished using netstat. Open a completely new terminal window in addition to run the following command to see the IP of the router you’re connected to.

netstat -rn

Step 2: Accessing the Router Configuration Panel

Once you’ve identified the local IP address of your router, you can access the configuration panel by opening the address in your web browser, just as you could any additional URL. (Note: some routers, such as Amplifi, actually have mobile apps of which make This specific easier.)

Once the router management page can be open, log in to the router. The username in addition to password may have been set by yourself (if you know what’s Great for you), an internet service provider, or be the router supplier received a’s default credentials. This specific information can generally found online inside router’s documentation, in addition to sometimes even physically on the side of the router.

While all routers will have slightly different interfaces, once logged in, look for an “Advanced” area, or something which includes “Port Forwarding.” inside case below, the relevant area was titled “Advanced Port Forwarding Rules.”

Once This specific page can be discovered, one can begin configuring port forwarding settings for the router.

Step 3: Defining Port Forwarding Rules

To demonstrate usage of port forwarding rules, we’ll use a sample use case. In This specific scenario, a user incorporates a Raspberry Pi connected to their home network router. The Pi has an SSH service running, allowing a user to log in if they contain the correct username in addition to password. The current IP address of the Pi can be

  • The user names the rule “RBPi SSH” to make of which easier to identify for future administration. The name of the rule does not matter beyond personal preference, as of which does not affect how the port can be used.
  • The Public Port (sometimes called Source Port) range can be set to 22 through 22, or the standard SSH port 22. This specific can be the port which the router will reveal to the internet as being open, in addition to the port which a user will connect to if they wish to connect to the Pi.
  • The Private Port (sometimes Destination Port) can be set to 22 as well, as the SSH daemon can be running on port 22 on the Pi.
  • The Traffic Type can be set to TCP, as SSH can be TCP traffic.
  • The IP Address can be set to of which of the Pi on the local network,
  • Finally, the checkbox at the left of the rule can be checked in order to enable the completely new setting.

While your router’s interface may work slightly different, the concept can be the same.

This specific rule, when saved, means of which at This specific point a user can connect to SSH to the IP address of the router by anywhere on the internet in addition to be forwarded to their Raspberry Pi server. This specific could also be used to create an HTTP web server on port 80 or perhaps facilitate a video game server on a specific port. Keep in mind of which some ISPs have defined rules regarding hosting servers in addition to additional content, in addition to be sure to check any applicable rules before choosing to host an internet-accessible server on a local network.

One vulnerability of which arises when exposing ports to the internet through port forwarding can be port scanning. Attackers on the internet use automated drones to scan sets of IP addresses or use tools like Shodan to find potentially vulnerable devices with certain ports active. SSH ports are a prime target, as they represent a shell environment where data could be stolen in addition to malware could potentially be installed.

Don’t Miss: How to Use the Shodan API with Python to Automate Scans for Vulnerable Devices

inside case of port forwarding, to protect against port scanning, of which may be advantageous to change the public or source port inside router configuration. Rather than using a common port like 22 which can be frequently scanned for, a more uncommon port such as 9022 can serve just as well to connect over SSH to the Raspberry Pi without leaving a low-numbered port available to be discovered through scanning.

With This specific port changed, the only difference in usage can be of which a client connecting to the devices over SSH by outside the network will need to specify port 9022 rather than assuming the default port, 22, can be in use. Attempting to connect to port 22 will not work outside of the local network, as while the SSH daemon on the Pi can be running on of which port, of which can be being forwarded over port 9022, not port 22.

While router-based port forwarding can be useful for internet-facing network configuration, port forwarding can also be established at the system level when using Linux.

Step 4: System Level Port Forwarding on Linux

Much inside same way of which a router port can be linked to a specific port on a device within a network, one port can also be linked to another to facilitate easier use. For instance, when installing the Cowrie honeypot, the SSH daemon can be moved by port 22 to port 9022, in addition to then port 2222 where the honeypot can be running can be forwarded to port 22 where of which will be scanned in addition to attacked on the internet.

To begin configuring local port forwarding on Linux, one may first need to enable of which within Linux itself. To do This specific, run the command below to set the value of ip_forward to 1 or true.

echo “1” > /proc/sys/net/ipv4/ip_forward

Once IP forwarding can be enabled, ensure of which you know the current port of the service you intend to forward. During the configuration of the Cowrie honeypot, This specific can be done by changing the SSH daemon configuration to move the service to port 9022.

Finally, to enable local port forwarding, iptables can be used. The command below redirects requests on port 22 to port 2222, where they are handled by the honeypot.

iptables -t nat -A PREROUTING -p tcp –dport 22 -j REDIRECT –to-port 2222

additional Uses for Port Forwarding

Port forwarding can be applied to additional implementations, such as forwarding port 8080 to port 80 to make a test server more easily accessible or to simply add additional ports to use for a certain service. Port forwarding can be a very valuable technique for remote access, server administration, network configuration, in addition to even for post-exploitation in addition to pivoting. Understanding of which can be the key to countless additional security projects!

I desire of which you enjoyed This specific tutorial on the port forwarding! If you have any questions about This specific tutorial or port forwarding in general, feel free to leave a comment or reach me on Twitter @tahkion.

Don’t Miss: How to Send & Receive iMessages on Your Android Phone

Cover image in addition to screenshots by TAKHION/Null Byte

Leave a Comment

Your email address will not be published. Required fields are marked *

12 − five =