How to set up port forwarding with iptables

By Angus Published 27 February 2025 Updated 4 March 2026 5 min read

Port forwarding routes external traffic through your firewall to internal services running on specific IP addresses and ports. This allows you to expose web servers, SSH connections or other services to the internet while keeping them behind a NAT or firewall.

You will configure iptables to forward incoming traffic to internal network resources. Once complete, external requests reach your services securely through defined firewall rules that persist across system reboots.

Before you begin

  • You need root or sudo access to your VPS.
  • Your internal service must be running and accessible on the local network.
  • We recommend reviewing existing firewall rules before making changes.

Install iptables and persistence package

The iptables-persistent package saves your firewall rules automatically so they survive system reboots. Without it, you would need to reapply rules manually after each restart.

  1. Update your system and install required packages.
    Run the following command to update package lists, upgrade installed packages and install iptables with the persistence package: sudo apt update && sudo apt upgrade && sudo apt install iptables iptables-persistent
  2. Confirm installation.
    When prompted during installation, select Yes to save current IPv4 and IPv6 rules. This creates the initial configuration files.

Your system now has iptables installed with automatic rule persistence. Next, you will enable IP forwarding to allow traffic routing between network interfaces.

Enable IP forwarding

IP forwarding allows your system to route packets between different network interfaces. This is required for port forwarding to work because traffic must pass from your external interface to internal network destinations.

  1. Open the system configuration file.
    Use nano to edit the file: sudo nano /etc/sysctl.conf
  2. Enable IP forwarding.
    Find the line net.ipv4.ip_forward=1 and remove the # symbol if it appears at the start. If the line does not exist, add it to the end of the file.
  3. Save the file.
    Press Ctrl+X, then Y to confirm, then Enter to save.
  4. Apply the configuration change.
    Load the new setting without rebooting: sudo sysctl -p

Your system can now route traffic between network interfaces. Before adding new rules, you will check existing iptables configuration to avoid conflicts.

Check existing iptables rules

Reviewing current firewall rules prevents conflicts with your new port forwarding configuration. This shows you what rules already exist and whether they might interfere with the traffic you want to forward.

  1. List current rules.
    Display all active iptables rules: sudo iptables -L -n
  2. Review the output.
    Look for any rules that block or redirect traffic on the ports you plan to forward. Make note of any potential conflicts.

You now understand your current firewall configuration. Next, you will add the port forwarding rule that routes external traffic to your internal service.

Add a port forwarding rule

The PREROUTING chain in iptables processes incoming packets before routing decisions. Adding a DNAT rule here redirects traffic from an external port to an internal IP address and port combination.

  1. Create the forwarding rule.
    Run this command, replacing the port and destination values with your requirements: sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:9086 This example forwards external traffic arriving on port 80 to 192.168.1.1 on port 9086.
  2. Save the rule.
    Make the rule persistent across reboots: sudo netfilter-persistent save

Your port forwarding rule is now active and will survive system restarts. You will verify the configuration by checking the NAT table.

Verify the NAT table

Checking the NAT table confirms your forwarding rule appears correctly in the PREROUTING chain. This shows the exact destination IP and port that incoming traffic will be redirected to.

  1. Display NAT rules.
    View the NAT table with packet and byte counters: sudo iptables -t nat -L -n -v
  2. Confirm your rule.
    Look for your PREROUTING entry in the output. Verify the destination IP and port match what you configured.

The NAT table shows your forwarding rule is in place. Finally, you will test external access to confirm traffic reaches your internal service.

Test external access

Testing from outside your network confirms that port forwarding works correctly. A successful response proves that external traffic reaches your internal service through the firewall rule.

  1. Test with curl.
    From a different machine or network, use curl to connect to your external IP on the forwarded port: curl http://your-external-ip:80 Replace your-external-ip with your actual public IP address.
  2. Verify the response.
    If your internal service responds correctly, port forwarding is working. If the connection times out or fails, check your firewall rules and internal service status.

Wrapping up

Your iptables port forwarding configuration now routes external traffic to internal services securely. You enabled IP forwarding, added persistent NAT rules and verified external access. Traffic arriving on your specified port reaches the correct internal destination.

Monitor your forwarded services over the next few days. Check that connections remain stable and review your firewall logs for any unexpected traffic patterns. Our managed VPS hosting includes firewall configuration support and security monitoring.

UWH
SAVE 16%

Power Up Your Apps

VPS-1 Hosting

£9.99 £8.33/mo

GET VPS HOSTING

Categories

Need more power?

Get scalable resources with our VPS hosting with root access and optional software.

Get VPS Hosting

Starting something new?

Perfect for websites and small businesses unlimited bandwidth with cPanel hosting.

Get cPanel Hosting