How to configure ufw to forward port 80/443 to internal server hosted on LAN

I am using UFW to protect my network. How do I forward TCP HTTP port # 80 and 443 to an internal server hosted at 192.168.1.100:80 and 192.168.1.100:443 using UFW on Ubuntu Linux server?

UFW is an acronym for uncomplicated firewall. It is used for managing a Linux firewall and aims to provide an easy to use interface for the user. In this tutorial, you will learn how to forward incoming traffic to your server running ufw on port 80/443 to port 80/443 on another internal server hosted in your LAN/VLAN or Linux containers.

ADVERTISEMENTS

Our sample setup

Let us say you want to forward requests going to {80,443} to a server listening on 192.168.1.100:{80,443}:

Fig.01: How to configure ufw to redirect http traffic to another IP:port

Fig.01: How to configure ufw to redirect http traffic to another IP:port

All request for 202.54.1.1 port 80 and 443 need to redirect to another internal server.

DNAT

If you have a server on your internal network that you want make available externally, you can use the -j DNAT target of the PREROUTING chain in NAT to specify a destination IP address and port where incoming packets requesting a connection to your internal service can be forwarded. The syntax is:

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -d {PUBLIC_IP} --dport 80 -j DNAT --to {INTERNAL_IP}:80

OR
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -d {PUBLIC_IP} --dport 443 -j DNAT --to {INTERNAL_IP}:443

Postrouting and IP Masquerading

To allow LAN nodes with private IP addresses to communicate with external public networks, configure the firewall for IP masquerading, which masks requests from LAN nodes with the IP address of the firewall’s external device such as eth0. The syntax is:
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
OR
/sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j MASQUERADE

How to configure ufw to setup a port forward

You need to edit /etc/ufw/before.rules file, enter:
$ sudo vi /etc/ufw/before.rules
Next configure ufw to redirect http traffic to another (LAN) IP:port. At the top file, append:

*nat
:PREROUTING ACCEPT [0:0]
# forward 202.54.1.1  port 80 to 192.168.1.100:80
# forward 202.54.1.1  port 443 to 192.168.1.100:443
-A PREROUTING -i eth0 -d 202.54.1.1   -p tcp --dport 80 -j  DNAT --to-destination 192.168.1.100:80
-A PREROUTING -i eth0 -d 202.54.1.1   -p tcp --dport 443 -j  DNAT --to-destination 192.168.1.100:443
# setup routing
-A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j MASQUERADE
COMMIT

Save and close the file. Edit /etc/sysctl.conf:
$ sudo vi /etc/sysctl.conf
Set/edit as follows:

net.ipv4.ip_forward=1

Save and close the file. Reload changes:
$ sudo sysctl -p
Finally, restart the firewall to enable routing:
$ sudo systemctl restart ufw
Make sure port 80 and 443 is allowed, otherwise ufw will block the requests that are redirected to internal 192.168.1.100:{80,443}:
$ sudo ufw allow proto tcp from any to 202.54.1.1 port 80
$ sudo ufw allow proto tcp from any to 202.54.1.1 port 443

Verify new settings:
$ sudo ufw status
$ sudo iptables -t nat -L -n -v

Finally, make sure your domain has DNS type ‘a’ set to 202.54.1.1.

Conclusion

In this tutorial, you learned how to configure UFW to forward tcp port 80/443 to internal hosts or Linux containers hosted by the LXD.

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
4 comments… add one
  • Dof Feb 5, 2017 @ 16:47

    just a little error :
    /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -d {PUBLIC_IP} –dport 443 -j DNAT –to {INTERNAL_IP}:443

  • Harold Angulo Mar 16, 2017 @ 19:16

    How Can I do this using domains and subdomains instead public IP address?

    • 🐧 Vivek Gite Apr 16, 2017 @ 16:52

      You can’t. You need to use reverse proxy such as Nginx. It is much better.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.