Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 275
  • Last Modified:

port forwarding

As I understand it, port forwarding is the packaging packets into an HTTP or HTTPS stream, changing the and once through the firewall, map the packet to the appropriate port

Is this correct?

And more importantly, why would you use port forwarding ?

Many Thanks
Anthony Lucia
Anthony Lucia
3 Solutions
Dan CraciunIT ConsultantCommented:
Most common use: to make an application that runs in an internal server available from the outside (Internet).

For this you either connect that server directly to the outside, or you use the router to port forward traffic from a specific port to that server's internal IP.

Bonus: you can have many internal servers available on the same external IP, as long as the external ports are different.

Giovanni HewardCommented:
Port forwarding or port mapping is a name given to the combined technique of

1. translating the address or port number of a packet to a new destination

2. possibly accepting such packet(s) in a packet filter (firewall)

3. forwarding the packet according to the routing table.

The destination may be a predetermined network port (assuming protocols like TCP and UDP, though the process is not limited to these) on a host within a NAT-masqueraded, typically private network, based on the port number on which it was received at the gateway from the originating host.

The technique is used to permit communications by external hosts with services provided within a private local area network.
Dan CraciunIT ConsultantCommented:
@Giovanni Heward: please credit the source. Thank you.
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Dave HoweCommented:
Port forwarding is in essence any solution which causes packets sent to one port on one IP to arrive on a (potentially different) port on another IP.

Distinctions should be made based on to what extent the packets are re-written during this process; the most basic form is called either NAT or PAT depending on vendor and work done (the terms expand to Network Address Translation and Port Address Translation, respectively; the latter implies that the target port is also rewritten). In this form, the packet arrives at its final (internal) destination with its source IP and port intact, and replies must be routed therefore back though the translating service in order that they be again rewritten to appear to come back from the original IP/Port they were sent to.  Some solutions can perform load balancing, allowing a single external IP to be used to connect to several internal hosts in order to increase the throughput for the solution.

Another common form is called reverse proxy, virtual server, or several other terms (again, vendors seem to like making up new terms for this).  This differs from NAT/PAT in that the source address is also rewritten, so that it appears to come from the internal address of the device hosting the original target IP; this simplifies routing (in that the default route to the internet need not be via the reverse proxy) but hides source data from the internal host (which can cause difficulties in logging) - to offset this, often the proxy can perform tasks "offloaded" from the internal host, such as stripping away SSL (taking on the processor load for that), performing active caching, handling session cookies and so forth.  In cases of simple rewrite, this can also be called "Double NAT" or "Double PAT" indicating the rewriting of both target and source addresses.

As an edge case, a device can act as a socket proxy - this implies active participation by the internal host in selecting and opening the external IP/Port, which then forwards the packets over its own proxy protocol back to the requesting application (socks is an example of such a socket proxy protocol)

Finally, we have solutions such as VPNs, TOR and similar proxy networks, ssh tunnels, ssl tunnels and so forth. With these solutions, a port or virtual network card on the local machine is set to listen for connections by the local client, and the packets are encapsulated in another protocol and sent over that protocol to an external host, where they are then forwarded to a destination. This can be combined with NAT/PAT, socket proxies, forward or reverse proxies and so forth, in order that the traffic from the remote node behave as expected (for example, a ssh forward tunnel link will emerge with a random source port and the external IP of the ssh server, to a predetermined external target IP and port. A reverse tunnel will open a specified port on the remote server to listen for traffic, and forward that - via the tunnel -  to the local client, where it will then be routed - from the IP of the client, plus a random port - to a predetermined target).

As for the Why, you would use port forwarding in any situation where you want to get a connection from a host, unable to connect directly to a target IP/Port, to that target IP/Port, by explicitly connecting to a different IP/Port, which then arranges for that connection to be forwarded as needed.
While the end result is similar, the two port forwarding and reverse proxy are distinct.
Port forwarding is accomplished on the transport layer while reverse proxy is accomplished on the application layer (proxy server handles the request from the remote side and passes the request to the internal resources.  Then upon receiving a response it forwards it back to the requester)

Port forwarding is a packet redirect
Reverse proxy is a request redirect.
Dave HoweCommented:
@arnold: Yup.
However, this is in the context that this is a follow-up question so I am trying to cover a fair few bases to save further follow-up questions :)

There are actually a number of key technologies that are interwoven with the information the querient is looking for - tunnelling, vpn, packet/traffic encapsulation, forward and reverse proxy, policy evasion, possibly even uPnP and NAT-PMP - so including information on reverse proxy (as distinct from packet forwarding) saves a little time :)

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now