This article will demonstrate how to create a port forwarding that allows sharing services within your home or business.
Have you ever imagined being able to have a WEB server inside your home or even within your company’s technology park without the need to pay for a website hosting service?
This configuration is possible when we forward open ports on a public IP to another open port on a private IP within our private network.
The figure below shows our test scenario. In this scenario, we have a machine that is on a private network and has the IP “192.168.0.102”.
We aim to make a service available inside that machine, “192.168.0.102” and expose this service to the Internet.
How to expose a service that runs inside a private network to a public network like the Internet?
To expose services running on machines on the internal network to a public network like the Internet, we’ll need to map the ports the services use to communicate.
Before that, let’s do a summary of the data we have in this scenario.
Internal Machine = IP “192.168.0.102”
Our router’s LAN interface = IP “192.168.0.1”
WAN interface of our router = IP “203.0.113.12”
Our router has two interfaces, one LAN with the IP “192.168.0.1” and one WAN with the IP “203.0.113.12”.
The LAN interface serves the internal network “192.168.0.0/24”, and this internal network hosts our internal machine.
Checking the IP and services running on the internal machine
Let’s check if the IP and services are working on the internal machine. For this, we are using a Linux machine.
Therefore, to check the IP, we can use the command below.
As we can see in the result of the command in the figure above, our IP of the internal machine is “192.168.0.102”.
Now, let’s check the services running on the internal machine.
In this case, our internal machine hosts an Apache WEB server and an SSH server.
Therefore, we know that the WEB server will use port 80 TCP to receive page requests, and the SSH server will use port 22 TCP to receive connections to the remote terminal.
Note. In this example, we are using the standard ports of the HTTP and SSH protocols.
Checking service ports
So now we need to check the ports that the WEB server and the SSH server are using on the internal machine.
For this, we will use the command below.
netstat -an | grep :22
netstat -an | grep :80
Once we have verified that we already know our internal machine IP and which ports are being used for the services we will expose on the Internet.
Now we can move on to the next step.
Doing port forwarding on the router
At this point, we have the ports open on the internal machine. However, if we check our router’s WAN interface, we won’t see ports 80 and 22 open.
That’s because we haven’t port forwarded our router yet.
Note. We can use NMAP to check the ports that are open on the WAN interface of our router. See how to use NMAP HERE.
In our case, we are going to port forward to a D-LINK router. However, the way of configuring port forwarding on routers from other manufacturers is similar.
To access the WEB interface for the configuration of our router, we will access the browser of the internal machine and type the IP of the LAN interface of the router.
In our case, this IP is “192.168.0.1”. Next, we’ll use a username and password to access the router.
Note. If this is your first time accessing the router, check the manual or the internet for your router’s default username and default password.
Accessing our router, we can see in Status that our LAN interface has the IP “192.168.0.1” and the WAN interface has the IP “203.0.113.12” .
Next, let’s click in the top menu on Advanced and then click on “Virtual Server”.
Port forwarding to HTTP server
After that, let’s enter a name for our WEB server. In this case, let’s use the settings below.
- The name of our rule will be “WEB server”.
- Then let’s enter the IP of our internal machine “192.168.0.102”.
- Choose the protocol as TCP. Since HTTP uses the TCP transport protocol.
- Use private port 80. That’s because our WEB server is using port 80 on the internal machine.
- Use public port 80. This is because we want port 80 to be open on the WAN interface of our router.
- Select schedule = Aways. To make port forwarding always active.
These settings will allow all traffic arriving on TCP port 80 on the WAN interface to be forwarded to TCP port 80 on the internal machine.
Portforwading to the SSH server
Now let’s port forward to the SSH server. For this, we already know that the SSH server will use port 22. So let’s use the configuration below.
- The name of our rule will be “SSH”.
- Then let’s insert the IP of our internal machine “192.168.0.102”.
- Choose the protocol as TCP. Since SSH uses the TCP transport protocol.
- Use private port 22. That’s because our SSH server is using port 22 on the internal machine.
- Use public port 22. That’s because we want port 22 to be open on the WAN interface of our router.
- Select schedule = Aways. To make port forwarding always active.
These settings will allow all traffic arriving on TCP port 22 on the WAN interface to be forwarded to TCP port 22 on the internal machine.
Note. In this scenario, we forwarded the same ports, port 80 public to port 80 private. However, we could have chosen different ports.
For example, we could have chosen a public port 45777, to be forwarded to a private port 80. It is up to the user to decide how to configure port forwarding.
Testing port forwarding
For the test, let’s use another machine on the external network, such as another machine on the Internet.
In our scenario, we are using an external machine with a test IP 203.0.113.10.
We can verify this with the command below.
Now, let’s test if the ports are open on our WAN. To do this, we will perform an NMAP to the IP of our WAN interface.
We’ll use the command below to verify.
We can verify that using the NMAP on ports 22 and 80 are open on the WAN interface IP of our router.
That’s because these ports were correctly mapped with the internal machine’s ports.
The next step is to make an SSH connection from the external network to our internal machine using the router’s WAN IP. For this, we will use the command below.
In this case we are using SSH with the nets user.
The next step is to access the WEB from outside the internal network using the router’s WAN IP.
To do this, we will open a browser on an external machine, and we will type the WAN IP of our router 203.0.113.12.
We can verify that the access was done correctly. So here we finish this tutorial to create port forwarding for internal services of private network machines.
Data Scientist and Master in Computer Modeling by LNCC.