In a computer network, port forwarding or port mapping is a network address translation application (NAT) that redirects a communication request from one address and a combination of port numbers to another when packets are being across a network gateway, such as a router or firewall. This technique is most commonly used to create services on hosts that are on a protected or masqueraded (internal) network available for hosts on the opposite side of the gateway (external network), by mapping the destination IP address and the communication port number to the internal host.
Video Port forwarding
Destination
Port Forwarding allows remote computers (for example, computers on the Internet) to connect to a specific computer or service in a private local area network (LAN).
In a typical residential network, nodes get Internet access via DSL or cable modem connected to the router or network address translator (NAT/NAPT). Hosts on a private network connect to an Ethernet switch or communicate over a wireless LAN. The external interface of the NAT device is configured with a public IP address. Computers behind the router, on the other hand, are invisible to hosts on the Internet because they each only communicate with a private IP address.
When configuring port forwarding, the network administrator sets aside a port number in the gateway for exclusive use of communicating with services on a private network, located on a particular host. An external host should know this port number and the gateway address to communicate with the internal-network services. Often, well-known Internet service port numbers, such as port number 80 for web services (HTTP), are used in port forwarding, so that public Internet services can be implemented on a host within a private network.
Typical applications include the following:
- Run a public HTTP server in a private LAN
- Allow Secure Shell access to hosts on a private LAN from the Internet
- Allow FTP access to host on private LAN from the Internet
- Runs a publicly available game server within a private LAN
The administrator configures port forwarding in the gateway operating system. In the Linux kernel, this is achieved by the packet filter rules in the iptables or netfilter kernel components. BSD and the macOS operating system before Yosemite (OS 10.10.X) apply it to the Ipfirewall (ipfw) module while the macOS operating system started with Yosemite applying it in the Packet Filter (pf) module.
When used on a gateway device, port forward can be implemented with one rule to translate destination and port addresses. (In the Linux kernel, this is a DNAT rule). The source and port addresses, in this case, do not change. When used on a machine that is not the default gateway of the network, the source address must be changed to the address of the translator engine, or the packet will pass through the translator and the connection will fail.
When a port forward is implemented by a proxy process (such as an application layer firewall, firewall-based SOCKS, or through a TCP circuit proxy), no packets are actually decoded, only the data is proxied. This usually results in the source address (and port number) being changed to the proxy machine.
Usually only one from a private host can use a particular channel port at a time, but the configuration is sometimes possible to distinguish access to the source address of the original host.
Unix-like operating systems sometimes use port forwarding where port numbers smaller than 1024 can only be created by software running as root users. Running with superuser rights (to bind ports) can be a security risk for hosts, therefore port forwarding is used to redirect low-numbered ports to other high-numbered ports, so that application software can run as a general operation of system users with reduced privileges.
The Universal Plug and Play Protocol (UPnP) provides a feature to automatically install port forwarding instances in a residential Internet gateway. UPnP defines Internet Gateway Device Protocol (IGD) which is a network service where an Internet gateway advertises its presence on a private network through the Simple Service Discovery Protocol (SSDP). Applications that provide Internet-based services can find the gateway and use the UPnP IGD protocol to reserve the port number in the gateway and cause the gateway to forward the packet to the listener's socket.
Maps Port forwarding
Port forwarding type
Port forwarding can be divided into the following special types: local, remote, and dynamic port forwarding.
Forwarding local port
Forwarding a local port is the most common type of port forwarding. This is used to pass data securely from other client applications running on the same computer as the Secure Shell Client. Local Port Forwarding allows users to connect from a local computer to another server. By using local port forwarding, firewalls that block certain web pages can be skipped.
Two important things in local port forwarding are destination server, and two port numbers. Connections from SSH clients are forwarded via the SSH server, then to the destination server. As stated above, the local port forwards data from another client application running on the same computer as the Secure Shell Client. Secure Shell clients are configured to redirect data from a specific local port through secure tunnels to specific hosts and destination ports. This port is on the same computer as the Secure Shell client. Other clients can be configured running on the same computer to connect to the forwarded port (not directly to the host and destination port). Once this connection is established, the Secure Shell client listens on the specified port and redirects all data sent to that port through the secure tunnel to the Secure Shell server. The server decrypts the data, and then redirects it to the host and destination port.
At the command line, "-L" specifies local port forwarding. The destination server, and the two port numbers must be included. Port numbers less than 1024 or greater than 49150 are reserved for the system. Some programs will only work with certain source ports, but for most source port numbers can be used.
Some use of local port forwarding:
- Using local port forwarding to Receive Mail
- Connect from laptop to website using SSH tunnel.
Remote port forwarding
This form of port forwarding enables server-side Secure Shell connection (SSH) applications to access services that are on the SSH client side. In addition to SSH, there is a proprietary tunneling scheme that utilizes remote port forwarding for the same general purpose. In other words, remote port forwarding allows users to connect from the server side of the tunnel, SSH or other, to remote network services located on the client side of the tunnel.
To use remote port forwarding, the destination server address (on the client side of the tunnel) and two port numbers must be known. The port number selected depends on which application to use.
Forward port forwarding allows other computers to access hosted applications on the remote server. Two examples:
- An employee of the company hosts the FTP server in his own home and wants to provide access to FTP services to employees who use computers at work. To do this, an employee can set up remote port forwarding via SSH on the company's internal computers by entering their FTP server address and using the correct port number for FTP (standard FTP port is TCP/21)
- Opening a remote desktop session is a common use of remote port forwarding. Through SSH, this can be done by opening a virtual network computing port (5900) and including the destination computer address.
Dynamic port forwarding
Dynamic port forwarding (DPF) is an on-demand method for traversing firewalls or NATs through the use of pinholes firewalls. The goal is to enable clients to securely connect to trusted servers that act as intermediaries for the purpose of sending/receiving data to one or more destination servers.
DPF can be implemented by creating local applications, such as SSH, as a SOCKS proxy server, which can be used to process data transmission over the network or over the Internet. Programs, such as web browsers, must be individually configured to drive traffic through a proxy, which acts as a secure tunnel to another server. After the proxy is no longer required, the program must be reconfigured to its original settings. Due to manual requirements of DPF, it is not often used.
Once the connection is established, the DPF can be used to provide additional security for users connected to untrusted networks. Because the data must pass through a secure tunnel to another server before being forwarded to its original destination, the user is protected from sniffing packets that may occur on the LAN.
DPF is a powerful tool with many uses; for example, a user connected to the Internet through a coffee shop, hotel, or other network that is minimally safe may wish to use DPF as a way to protect data. DPF can also be used to bypass a firewall that limits access to external websites, such as on a corporate network.
See also
- Firewall hole
- NAT traversal
- Forwarding packets
- Translation of port address (PAT)
- Port trigger
- Secure Shell
References
External links
- Alan Stafford. "Warp Speed ​​â € <â €
. Retrieved 2008-10-11 . - Using UPnP for Programmed Port Forwarding and NAT Traversal - Free software using UPnP and Gateway Internet Device Protocol (IGD) to automate port forwarding
- TCP forwarding source code in C # Ã, - Source code in TCP C # explaining/PoC forwarding.
- Open.NATÃ, - A light and easy-to-use NET class library to enable port forwarding on NAT devices that support UPNP and PMP.
Source of the article : Wikipedia
0 Comments