Linux iptables: Port Redirection Example

How do I redirect 80 port to 8123 using iptables?

You can easily redirect incoming traffic by inserting rules into PREROUTING chain of the nat table. You can set destination port using the REDIRECT target.


The syntax is as follows to redirect tcp $srcPortNumber port to $dstPortNumber:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport $srcPortNumber -j REDIRECT --to-port $dstPortNumber

The syntax is as follows to redirect udp $srcPortNumber port to $dstPortNumber:

iptables -t nat -A PREROUTING -i eth0 -p udp --dport $srcPortNumber -j REDIRECT --to-port $dstPortNumber

Replace eth0 with your actual interface name. The following syntax match for source and destination ips:

iptables -t nat -I PREROUTING --src $SRC_IP_MASK --dst $DST_IP -p tcp --dport $portNumber -j REDIRECT --to-ports $rediectPort


The following example redirects TCP port 25 to port 2525:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j REDIRECT --to-port 2525

In this example all incoming traffic on port 80 redirect to port 8123

iptables -t nat -I PREROUTING --src 0/0 --dst -p tcp --dport 80 -j REDIRECT --to-ports 8123

Quoting from the iptables man page:

 This  target is only valid in the nat table, in the PREROUTING and OUTPUT 
       chains, and user-defined chains which are only  called  from  those
       chains.   It redirects the packet to the machine itself by changing the
       destination IP  to  the  primary  address  of  the  incoming  interface
       (locally-generated  packets  are  mapped to the address).  It
       takes one option:

       --to-ports port[-port]
              This specifies a destination port or  range  of  ports  to  use:
              without  this,  the  destination port is never altered.  This is
              only valid if the rule also specifies -p tcp or -p udp.

The OUTPUT chain example:

iptables -t nat -I OUTPUT --src 0/0 --dst -p tcp --dport 80 -j REDIRECT --to-ports 8123

How Do I View NAT Rules?

Type the following command:

iptables -t nat -L -n -v

How Do I Save NAT Redirect Rules?

Type the following command:



  • man page – iptables

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 23 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
23 comments… add one
  • tapas mishra May 8, 2010 @ 12:21

    Just came across this one.Never tried but good idea.

  • Nir Jan 16, 2011 @ 20:55

    gotta love this site.

    thanks for the 1000th time ;)

  • Piyush Feb 7, 2011 @ 6:30


    Nice Article… !!!

    Please check my query and update me if it is possible by iptables or any other software…

    I have 2 application servers (i.e. A and B)

    A ip is :- and port :- 7013 (single lan card)

    B ip is :- and port :- 8014 (single lan card)

    Now i want to set port fowarding/ redirection. When any client request to it will redirect to . How it is possible by iptables or any other way ?

    Thank you.

  • Rocky Feb 7, 2011 @ 10:24


    I think for nat , two lan cards are required……

    and can we pass one machine traffic to other which are on internet via port redirection….?


  • Mikhail Feb 18, 2011 @ 4:50

    Thank you! I always forget how to redirect

  • Steve Sep 6, 2011 @ 3:31

    Well heck. I thought this was my answer but adding the iptables rule to redirect outbound port 25 traffic to port 2525 has no effect. (Ubuntu 10.04)

    Mixmaster is giving me cat fits because ISPs have decided that we are not allowed to send RFC compliant e-mail any more. Ever. No matter what. Any suggestions?

  • Rocky Patel Sep 6, 2011 @ 10:52


    Can we see packet , means redirection from port 80 to port 3128 or redirect of confiugred ports in iptables rule.

    My question is that , is there any tool or utility, by use of it we can see how packet handle by iptables.


  • Cr0t Sep 14, 2011 @ 1:36

    How about redirecting an internal request to go out over a different interface.

    I got bond0 and wlan0.

    The request for a specific server let’s call it foobar on port 443. I always want to go out over wlan0 and never over bond0.

  • Gary Largeman Jan 31, 2012 @ 21:45

    God bless you. I’ve been looking for these!

  • Elton Rauh Feb 7, 2012 @ 19:49

    all connections are being redirected to the proxy … Why, if it is set different from the and those connections I’m also going through the proxy

    $IPTABLES -A PREROUTING -t nat -p tcp -i eth2 -s -d ! -m multiport –dports 80,443 -j DNAT –to

  • Josh Mar 15, 2012 @ 21:08

    Thanks, this was very helpful :)

  • Oliver May 3, 2012 @ 10:15

    Hi, I’ve got a quite funny setup. I connect with ssh to server1 and establish a tunnel. Packets are generated I mark the packets on the OUTPUT chain and redirect them with ip route through a vpn gateway. This works fine.

    But I want to redirect the port from 80 to 3028 and this does not work on the output chain. The rule is ignored. How can I redirect the port on the Postrouting chain?

  • Marian Sep 4, 2012 @ 10:25

    single rule doesnt work if You have a big script. Could You please publish complete firewall script with all settings ?

  • PacoBell May 7, 2013 @ 6:35

    Does this syntax guarantee the return path from $dstPortNumber back to $srcPortNumber as well? I tried this out and it seems that my client can receive packets on the dstPort just fine, but those sent back are lost somehow.

  • higkoo Aug 30, 2013 @ 4:56

    Can you do it without iptables?

  • NeMewSys Sep 4, 2013 @ 18:43

    If I use this:

    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j REDIRECT --to-port 2525

    every packet arriving to port 25 will be forward to 2525, but what happens to packets arriving to port 2525? I would like to redirect them to 25, should I also add this rule?

    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2525 -j REDIRECT --to-port 25
  • lorenzo Oct 31, 2013 @ 9:23

    iptables -t nat -A PREROUTING -i venet0 -p tcp –dport 1:20 -j REDIRECT –to-port 411
    following request:
    iptables: No chain/target/match by that name.

    • anonymous Feb 14, 2014 @ 3:04


      sysctl net.ipv4.ip_forward=1


      You want to redirect 2525 -> 25, and 25 -> 2525 – why on earth would you think that’s a great idea?

  • tux Sep 12, 2014 @ 12:01

    I am trying to redirect request on port 80 to 8080 (as tomcat is listening on this);

    Following are the rules I added;

    iptables -I INPUT -p tcp –dport 80 -j ACCEPT
    iptables -t nat -I PREROUTING -p tcp –dport 80 -j REDIRECT –to-ports 8080

    But, I am unable to see the tomcat page when I hit http://xxx.xx.xx.xx/ from outside.

    But, when I also add the following in the IPTABLES, it works;
    iptables -I INPUT -p tcp –dport 8080 -j ACCEPT

    But, my question is why do I also need to expose port 8080. Because, that way http://xxx.xx.xx.xx:8080/ and http://xxx.xx.xx.xx/ would both work.

    could someone help me with a better solution in this regard.


    • Federico Sep 17, 2015 @ 22:43

      As far as I know the PREROUTING rules are applied before the INPUT rules. More in general the rules from the nat table are applied before the rules in the filter table. So, in your case, any packet going to port 80 is redirected to port 8080 (iptables -t nat -I PREROUTING -p tcp –dport 80 -j REDIRECT –to-ports 8080) and then it is filtered by the default DROP policy of the INPUT chain, which I assume you are using, in fact it doesn’t match the ACCEPT rule on port 80 (iptables -I INPUT -p tcp –dport 80 -j ACCEPT).

      You have already verified it, as you said if you add a rule to accept INPUT packets on port 8080, both http://xxx.xx.xx.xx:8080/ and http://xxx.xx.xx.xx/ work properly. The former because it connects to port 8080 which is open, the latter because it connects to port 80 and gets redirected to port 8080 which is open.
      To further verify it you should run iptables -L -n -v more times and check that the packet counter of the rule iptables -I INPUT -p tcp –dport 80 -j ACCEPT remains 0 even if you connect to http://xxx.xx.xx.xx/ between a run and the other.
      As last option, for debugging purposes, you could add a LOG rule for packets on the 80 port and study the logs to see if any packet is accepted (syntax is easy, where the logs are depends on your system). Just remember to add it in the table just before the related ACCEPT rule and not after, otherwise the LOG rule would be ignored.

      As last thing, don’t worry about how scary and difficult iptables can seem as everything I’ve told you I’ve learned this afternoon just by googling around and the good old trial and error ;)
      Good luck

  • michael Oct 6, 2014 @ 6:55

    Hey I need help in port Redirection
    This is my setup and it does not work
    #iptables -A FORWARD -i eth1 -o eth0 -p tcp –dport 3390 -d -j ACCEPT
    #iptables -t nat -A PREROUTING -p tcp -i eth1 –dport 3389 -j DNAT –to
    I have ubuntu server 12.04 with two network card
    This eth0 LAN
    This eth1 WAN

    I need to access from any to the addresses Port 3390 and redirect to Port 3389 to (RDP)
    My firewall is disabled

  • Garima Jain Jun 29, 2016 @ 5:19

    Is there a way to redirect only the allowed traffic to a specific port?
    Either I am able to redirect or drop but not both of them together.

  • Paul Sep 15, 2017 @ 4:51


    doesn’t make the config persistent, that just dumps out the running config. You’ll need to backup

    /etc/sysconfig/iptables then run

    iptables-save > /etc/sysconfig/iptables

    to make the running config persistent accross reboots

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum