39

Im currently using ufw to enforce some basic firewall rules. Is it possible to also use ufw to do port forwarding?

Specifically im wanting to forward incoming traffic to my server (same machine running ufw) on port 80 to port 8080. (http traffic forwarded to tomcat)

Th

ooshro
  • 10,874
  • 1
  • 31
  • 31
tinny
  • 461
  • 2
  • 5
  • 11

2 Answers2

62

Let's say you want to forward requests going to 80 to a server listening on port 8080.

Note that you will need to make sure port 8080 is allowed, otherwise ufw will block the requests that are redirected to 8080.

sudo ufw allow 8080/tcp

There are no ufw commands for setting up the port forwards, so it must be done via configuraton files. Add the lines below to /etc/ufw/before.rules, before the filter section, right at the top of the file:

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
COMMIT

Then restart and enable ufw to start on boot:

sudo ufw enable
mikemaccana
  • 3,070
  • 5
  • 24
  • 29
ooshro
  • 10,874
  • 1
  • 31
  • 31
  • 9
    could you explain this line by line please? also, is there not something like `ufw forward 80 to 8080`? I thought UFW was Uncomplicated. – Tom Mar 11 '12 at 11:58
  • 4
    Looks like there are no ufw commands for setting up the port fowards, so it must be done via configuraton files. More detailed description about the configuration file syntax is available at: http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#CONFIGOPTIONS – Juha Palomäki Jul 24 '12 at 09:01
  • That doesn't work for me, I receive following message in `/var/log/syslog` after turning loggin on: `[52627.259812] [UFW BLOCK] IN=eth0 OUT= MAC=xxx SRC=xxx DST=xxx LEN=60 TOS=0x00 PREC=0x00 TTL=59 ID=59278 DF PROTO=TCP SPT=53997 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0`. It may be useful to know that before everything, I denied all incoming requests using `ufw deny incoming` and allowed only `ssh,80,443`. Could someone please advise what is the problem? – Yuriy Nakonechnyy Jul 31 '14 at 08:05
  • 1
    @Yura I had the same problem (8080 was blocked when I looked at syslog). Running `sudo ufw allow 8080/tcp` fixed the problem for me. – Tim Swast Jan 29 '16 at 03:19
  • @TimSwast I somehow solved or overcame this issue at that time, but anyway thanks a lot for your help :) – Yuriy Nakonechnyy Jan 29 '16 at 16:24
  • nice and straightforward answer. Much more easier than set it up directly on iptables! kudos – R.D. Nov 21 '16 at 05:57
  • does not seems to work for me either. Added, restarted ufw and even restarted the machine. I am on ubuntu 16 – Neeraj May 20 '17 at 17:14
  • This did work for me with Ubuntu 16.04..! – Steve Seeger Jun 18 '19 at 20:46
10

Since ufw 0.34 ufw supports forward rules.

example: sudo ufw route allow in on eth0 out on eth1 to 10.0.0.0/8 port 8080 from 192.168.0.0/16 port 80

You also need to make sure you have the sysctl net.ipv4.ip_forward enabled. For most distributions, that's done by editing /etc/sysctl.conf and running sysctl -p or rebooting.

ufw doesn't support NAT through it's easy interface, though.

Bryan Larsen
  • 249
  • 2
  • 6
  • 2
    It is `net.ipv4.ip_forward` you need to enable, not `net.ipv4.forward`. – Roland Pihlakas Dec 09 '20 at 20:36
  • It seems like this gives permission for packets sent from a certain network+port and to another network+port. That's not "port forwarding" as requested. OP needs the destination port of the packet to be re-written, from 80 to 8080. See also: https://serverfault.com/a/752644/133475 – sourcejedi Jan 03 '22 at 15:29
  • Yes, it's port forwarding. re-writing the packet is called Network Address Translation (NAT). As I said in my comment before you unfairly downvoted, ufw doesn't support NAT. NAT is required for most, but not all, use cases for port forwarding. – Bryan Larsen Jan 05 '22 at 15:32