How to configure ufw to forward port 80/443 to internal server hosted on LAN

I am using UFW to protect my network. How do I forward TCP HTTP port # 80 and 443 to an internal server hosted at and using UFW on Ubuntu Linux server?

UFW is an acronym for uncomplicated firewall. It is used for managing a Linux firewall and aims to provide an easy to use interface for the user. In this tutorial, you will learn how to forward incoming traffic to your server running ufw on port 80/443 to port 80/443 on another internal server hosted in your LAN/VLAN or Linux containers.

Our sample setup

Let us say you want to forward requests going to {80,443} to a server listening on{80,443}:

Fig.01: How to configure ufw to redirect http traffic to another IP:port

All request for port 80 and 443 need to redirect to another internal server.


If you have a server on your internal network that you want make available externally, you can use the -j DNAT target of the PREROUTING chain in NAT to specify a destination IP address and port where incoming packets requesting a connection to your internal service can be forwarded. The syntax is:

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -d {PUBLIC_IP} --dport 80 -j DNAT --to {INTERNAL_IP}:80

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -d {PUBLIC_IP} --dport 443 -j DNAT --to {INTERNAL_IP}:443

Postrouting and IP Masquerading

To allow LAN nodes with private IP addresses to communicate with external public networks, configure the firewall for IP masquerading, which masks requests from LAN nodes with the IP address of the firewall’s external device such as eth0. The syntax is:
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -s ! -d -j MASQUERADE

How to configure ufw to setup a port forward

You need to edit /etc/ufw/before.rules file, enter:
$ sudo vi /etc/ufw/before.rules
Next configure ufw to redirect http traffic to another (LAN) IP:port. At the top file, append:

# forward  port 80 to
# forward  port 443 to
-A PREROUTING -i eth0 -d   -p tcp --dport 80 -j  DNAT --to-destination
-A PREROUTING -i eth0 -d   -p tcp --dport 443 -j  DNAT --to-destination
# setup routing

Save and close the file. Edit /etc/sysctl.conf:
$ sudo vi /etc/sysctl.conf
Set/edit as follows:


Save and close the file. Reload changes:
$ sudo sysctl -p
Finally, restart the firewall to enable routing:
$ sudo systemctl restart ufw
Make sure port 80 and 443 is allowed, otherwise ufw will block the requests that are redirected to internal{80,443}:
$ sudo ufw allow proto tcp from any to port 80
$ sudo ufw allow proto tcp from any to port 443

Verify new settings:
$ sudo ufw status
$ sudo iptables -t nat -L -n -v

Finally, make sure your domain has DNS type ‘a’ set to


In this tutorial, you learned how to configure UFW to forward tcp port 80/443 to internal hosts or Linux containers hosted by the LXD.

🐧 Please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on Linux, Open Source & DevOps via:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
4 comments… add one
  • Dof Feb 5, 2017 @ 16:47

    just a little error :
    /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -d {PUBLIC_IP} –dport 443 -j DNAT –to {INTERNAL_IP}:443

  • Harold Angulo Mar 16, 2017 @ 19:16

    How Can I do this using domains and subdomains instead public IP address?

    • 🐧 Vivek Gite Apr 16, 2017 @ 16:52

      You can’t. You need to use reverse proxy such as Nginx. It is much better.

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Problem posting comment? Email me @