Ports allow network and Internet-connected devices to interact with specified channels. While servers with dedicated IP addresses can connect directly to the Internet and make ports publicly available, a system behind a router on a local network may not be open to the rest of the web. To solve the problem, port forwarding can be used to make these devices publicly available.
Network services and apps running on different devices use ports on specific numbers as a way to initiate connections and establish communication. Different ports can be used simultaneously to easily separate and analyze different types of traffic or requests. Ports are generally associated with specific services, so a client can connect to a server on a particular port and assume that the server will accept a connection at that port and respond appropriately.
Some common ports are shown below.
- 21: FTP (File transfer protocol)
- 22: SSH (Safe shell)
- 23: Telnet (Teletype Network)
- 25: SMTP (Simple Mail Transfer Protocol)
- 80: HTTP (Hypertext Transfer Protocol)
- 194: IRC (Internet Relay Chat)
- 443: HTTPS (HTTP Secure)
If you are looking at this guide on the internet and using a web browser, you are probably connected with HTTPS, which works via port 443.
While ports make it easy to identify and address specific requests, port numbering conventions are a standard, not a rule. Ports can be used for what a person can choose to host them, as long as the connection between the client and the server on a particular port uses a consistent protocol.
In browsers, non-standard HTTP ports can be specified after a colon at the end of an IP address or URL to try to load HTTP content over that port. If a web server is running on a local machine on port 8080 rather than the conventional port 80, it would be possible to access this in a web browser by navigating to localhost: 8080 or 127.0.0.1:8080, but if one of the two mentioned above addresses were entered without the suffix “: 8080”, the same page was not loaded.
While an open port should allow connection attempts, in order for these attempts to be made, a client device needs network access to the device. Although this is not necessarily a problem for a server that is connected to the Internet directly or a connection over a local network, it becomes problematic when trying to access a particular port on a device that is protected by a router or firewall.
Most home or office networks are connected to the Internet through a router. A router can manage the Internet usage of a network and centralize traffic to an IP address. All requests and packets are sent via the router before being distributed back to the respective devices, which made the original requests. By default, routers do not handle incoming requests on specific ports. If you try to connect via SSH to a router, the router has no way to handle that request, nor does it know who on the network to forward the requests to. This problem can be solved by configuring port forwarding in the router.
Step 1: Identify your router and control panel
Routers generally provide an HTTP administration panel on port 80. This control center can be accessed using the router’s local network IP, 192.168.0.1 or 192.168.1.1, in most cases. On Microsoft Windows, you can identify the location of the connected router or “Default Gateway” by opening a command prompt window and running ipconfig / all.
C:> ipconfig/all Windows IP Configuration Host Name . . . . . . . . . . . . : █████████ Primary Dns Suffix . . . . . . . : █████████ Node Type . . . . . . . . . . . . : █████████ IP Routing Enabled . . . . . . . : █████████ WINS Proxy Enabled . . . . . . . : █████████ Ethernet adapter Ethernet: Connection-specific DNS Suffix . : █████████ Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Desktop Adapter Physical Address . . . . . . . . : █████████ DHCP Enabled . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : █████████ IPv4 Address . . . . . . . . . . : █████████ Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained . . . . . . . . . : █████████ Lease Expires . . . . . . . . . . : █████████ Default Gateway . . . . . . . . . : 192.168.0.1 DHCP Server . . . . . . . . . . . : 192.168.0.1 DHCPv6 IAID . . . . . . . . . . . : █████████
On Linux, the same can be done with netstat. Open a new terminal window and run the following command to see the IP of the router you are connected to.
~$ netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 enp0s25 █████████ ████████████ █████████ ███ ██████ ████████████ █████████ ████████████ █████████ ███ ██████ ████████████
On macOS you can use the same command as on Linux.
~% netstat -rn Routing tables Internet: Destination Gateway Flags Netif Expire default 192.168.0.1 UGSc en0 █████████ █████████ █████████ ███ ████ █████████ █████████ █████████ ███ ████ █████████ █████████ █████████ ███ ████ █████████ █████████ █████████ ███ ████ █████████ █████████ █████████ ███ ████ █████████ █████████ █████████ ███ ████
Step 2: Go to the router’s configuration panel
Once you have identified the router’s local IP address, you can access the configuration panel by opening the address in your browser, just like with any other URL. (Note: some routers, like Amplifi, actually have mobile apps that make it easier.)
When the router management page is open, log in to the router. The username and password may have been set by yourself (if you know what is good for you) or an ISP, or it may be the router’s default information. This information is generally available online in the router documentation and sometimes even physically on the side of the router.
While all routers have slightly different interfaces, look for an “Advanced” area or something that includes “Port Forwarding” when logged in. In the case below, the relevant area was given the title “Advanced Port Transfer Rules”.
You can now start configuring port forwarding settings for the router.
Step 3: Define your port forwarding rules
To show the use of rules for port forwarding, we use an example of use cases. In this scenario, a user has a Raspberry Pi connected to their home network router. Pi has an SSH service running, so a user can log in if they have the correct username and password. Pi’s current IP address is 192.168.0.105.
- The user name the rule “RBPi SSH” to make it easier to identify for future administration. The name of the rule does not matter beyond personal preferences, as it does not affect how the port is used.
- The Public port (sometimes called Source gate) is set to 22 to 22, or the default SSH port 22. This is the port that the router will reveal to the Internet as open, and the port that a user will connect to if they want to connect to Pi.
- The Private port (sometimes Destination port) is also set to 22, since the SSH daemon runs on port 22 on Pi.
- The Traffic type is set to TCP, because SSH is TCP traffic.
- The IP address is set to the one for Pi on the local network, 192.168.0.105.
- Finally, the check box to the left of the rule is selected to activate the new setting.
While your router’s interface may work a little differently, the concept is the same.
This rule means, when saved, that a user can now connect to SSH to the router’s IP address anywhere on the Internet and forward it to his Raspberry Pi server. This can also be used to create an HTTP web server on port 80 or perhaps facilitate a video game server on a specific port. Keep in mind that some ISPs have defined rules for host servers and other content, and be sure to check all applicable rules before choosing to host an Internet-accessible server on a local network.
Step 4: Protect from port scanning and attacks
One vulnerability that occurs when ports are exposed to the Internet via port forwarding is port scanning. Internet attackers can use automatic drones to scan sets of IP addresses or will use tools like Shodan to find potentially vulnerable devices with specific ports active. SSH ports are a major target, as they represent a scalable environment where data can be stolen and malicious code installed.
For port forwarding, it may be beneficial to change the public port or source port in the router configuration to protect against port scanning. Instead of using a standard port like 22, which is often searched for, a more unusual port like 9022 can serve just as well to connect over SSH to the Raspberry Pi without leaving a low-numbered port available for detection by scanning.
Once this port has been changed, the only difference in use is that a client connecting to the devices via SSH outside the network will need to enter port 9022 instead of assuming that the default port, 22, is used. Attempt to connect to port 22 does not work outside the local network, as the SSH daemon on Pi runs on that port, it is forwarded over port 9022, not port 22.
You can also use a service like Fail2ban, an intrusion framework program designed to protect your system from brute-force attacks when an attacker finds out the actual port you are using. A tool like Fail2ban will limit the number of login attempts that can be made in the network.
Port-level port forwarding on Linux
While router-based port forwarding is useful for network configuration to the Internet, port forwarding can also be established at the system level when using Linux.
Just as a router port can be connected to a specific port on a device in a network, one port can also be connected to another to facilitate use. For example, when you install the Cowrie honey pot, the SSH demo is moved from port 22 to port 9022, and then port 2222, where the honey pot is running, is forwarded to port 22, where it is scanned and attacked on the Internet.
To start configuring local port forwarding on Linux, you may first need to enable it within Linux itself. To do this, run the command below to set the value to ip_forward to 1 or true.
~$ echo "1" > /proc/sys/net/ipv4/ip__forward
When IP forwarding is enabled, make sure you know the current port for the service you intend to forward. During the configuration of the Cowrie honey pot, this is done by changing the SSH daemon configuration to move the service to port 9022.
GNU nano 2.7.4 File: /etc/ssh/sshd_config Modified # $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. Port 9022 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress ::
Finally, to enable local port forwarding, iptables Can be used. The command below redirects requests on port 22 to port 2222, where the honey pot handles them.
~$ sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222
Other uses for port forwarding
Port forwarding can be applied to other implementations, such as forwarding port 8080 to port 80 to make a test server more accessible or to add additional ports to use for a particular service. Port forwarding is a valuable technology for remote access, server administration, network configuration, and also for post-exploitation and oscillation. Understanding this can be the key to countless other security projects!
I hope you enjoyed this guide on forwarding! If you have any questions about this tutorial or forwarding in general, feel free to leave a comment or contact me on Twitter @tahkion.
Want To Get Into The Gift Basket Business? Start your career with white-hat hacking with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get more than 60 hours of training from ethical hacking professionals.
Buy now (90% off)>