I am using UFW to protect my network. How do I forward TCP HTTP port # 80 and 443 to an internal server hosted at and using UFW on Ubuntu Linux server?

UFW is an acronym for uncomplicated firewall. It is used for managing a Linux firewall and aims to provide an easy to use interface for the user. In this tutorial, you will learn how to forward incoming traffic to your server running ufw on port 80/443 to port 80/443 on another internal server hosted in your LAN/VLAN or Linux containers.

Our sample setup

Let us say you want to forward requests going to {80,443} to a server listening on{80,443}:

Fig.01: How to configure ufw to redirect http traffic to another IP:port

Fig.01: How to configure ufw to redirect http traffic to another IP:port

All request for port 80 and 443 need to redirect to another internal server.


If you have a server on your internal network that you want make available externally, you can use the -j DNAT target of the PREROUTING chain in NAT to specify a destination IP address and port where incoming packets requesting a connection to your internal service can be forwarded. The syntax is:

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -d {PUBLIC_IP} --dport 80 -j DNAT --to {INTERNAL_IP}:80

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -d {PUBLIC_IP} --dport 443 -j DNAT --to {INTERNAL_IP}:443

Postrouting and IP Masquerading

To allow LAN nodes with private IP addresses to communicate with external public networks, configure the firewall for IP masquerading, which masks requests from LAN nodes with the IP address of the firewall’s external device such as eth0. The syntax is:
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -s ! -d -j MASQUERADE

How to configure ufw to setup a port forward

You need to edit /etc/ufw/before.rules file, enter:
$ sudo vi /etc/ufw/before.rules
Next configure ufw to redirect http traffic to another (LAN) IP:port. At the top file, append:

# forward  port 80 to
# forward  port 443 to
-A PREROUTING -i eth0 -d   -p tcp --dport 80 -j  DNAT --to-destination
-A PREROUTING -i eth0 -d   -p tcp --dport 443 -j  DNAT --to-destination
# setup routing

Save and close the file. Edit /etc/sysctl.conf:
$ sudo vi /etc/sysctl.conf
Set/edit as follows:


Save and close the file. Reload changes:
$ sudo sysctl -p
Finally, restart the firewall to enable routing:
$ sudo systemctl restart ufw
Make sure port 80 and 443 is allowed, otherwise ufw will block the requests that are redirected to internal{80,443}:
$ sudo ufw allow proto tcp from any to port 80
$ sudo ufw allow proto tcp from any to port 443

Verify new settings:
$ sudo ufw status
$ sudo iptables -t nat -L -n -v

Finally, make sure your domain has DNS type ‘a’ set to


In this tutorial, you learned how to configure UFW to forward tcp port 80/443 to internal hosts or Linux containers hosted by the LXD.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 8 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
8 comments… add one
  • Dof Feb 5, 2017 @ 16:47

    just a little error :
    /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -d {PUBLIC_IP} --dport 443 -j DNAT --to {INTERNAL_IP}:443

    • 🐧 Vivek Gite Feb 5, 2017 @ 19:26

      Thanks for the heads up!

    • Dave Feb 8, 2021 @ 5:44

      Hi Vivek / Dof
      I tried this line and made sure it is correctly typed but I get the following message.
      multiple -d flags not allowed
      Any suggestions?
      Thank you for the great information in the article :-)

      • 🐧 Vivek Gite Feb 8, 2021 @ 9:18

        No, the correct syntax is:

        -d ip1,ip2
        -d ip/subnet,ip2,cidr4 
  • Harold Angulo Mar 16, 2017 @ 19:16

    How Can I do this using domains and subdomains instead public IP address?

    • 🐧 Vivek Gite Apr 16, 2017 @ 16:52

      You can’t. You need to use reverse proxy such as Nginx. It is much better.

  • Zinc Jan 24, 2021 @ 0:14

    Been trying to do this across NIC cards– from a 170.*.*.* network to a 192.168.1.* private network. Seems like requests get forwarded to the 170 network instead of the 192 network which isn’t accessible to the outside– can’t it be made to route *through* the server to the other network?

    • Bartek Feb 1, 2021 @ 9:37

      Hi Zinc,
      If you forward traffic from a 170.*.*.* network to a 192.168.1.*, please be sure that hosts on your 192.168.1.* network have Gateway set to
      In this example, is your router which you set NAT.
      When you sent traffic to your 192.168.1.* network, the traffic must be sent back the same way through your NAT router.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum