Port forwarding, or tunneling, is the behind-the-scenes process of intercepting data traffic headed for a computer’s IP/port combination and redirecting it to a different IP and/or port. A program that’s running on the destination computer (host) usually causes the redirection, but sometimes it can also be an intermediate hardware component, such as a router, proxy server or firewall.
Of course, even though anyone sending data to a server isn’t aware of what’s going on, the request will still get to its ultimate destination.
Playing with packets.
It all starts with the packets that get created when you send a data request over the Internet.
Normally, a network router will examine the header of an IP packet and send it to a linked and appropriate interface, which in turn sends the data to the destination information that’s in the header.
But in port forwarding, the intercepting application (or device) reads the packet header, notes the destination, and then rewrites the header information and sends it to a another computer—one that’s different from the one intended. That secondary host destination may be a different IP address using the same port, a different port on the same IP address, or a completely different combination of the two.
Why port forwarding?
Port forwarding is an excellent way to preserve public IP addresses. It can protect servers and clients from unwanted access, “hide” the services and servers available on a network, and limit access to and from a network. Port forwarding is transparent to the end user and adds an extra layer of security to networks.
In short, port forwarding is used to keep unwanted traffic off networks. It allows network administrators to use one IP address for all external communications on the Internet while dedicating multiple servers with different IPs and ports to the task internally. Port forwarding is useful for home network users who may wish to run a Web server or gaming server on one network.
The network administrator can set up a single public IP address on the router to translate requests to the proper server on the internal network. By using only one IP address to accomplish multiple tasks—and dropping all traffic that is unrelated to the services provided at the firewall—the administrator can hide from the outside world what services are running on the network.
A look at port forwarding.
In the simplified example below, IP Address 10.0.0.1 sends a request to 10.0.0.3 on Port 80. An intermediate host—10.0.0.2—intercepts the packets, rewrites the packet headers and sends them on to IP Address 10.0.0.4 on Port 8080:
|Makes a request to
|Actually sends to
The host, 10.0.0.4, responds to the request, sending it to 10.0.0.2. Then 10.0.0.2 rewrites the packet—indicating that the response is from 10.0.0.3—and sends it to 10.0.0.1:
|Sends its response to
|Forwards the response to
As far as 10.0.0.1 is concerned, it has sent a request to 10.0.0.3 on Port 80 and has received a response back from 10.0.0.3 on Port 80. This is not what has happened—the traffic has never actually touched 10.0.0.3. However, because of the way the packets have been rewritten, 10.0.0.1 sees that it has gotten a response from 10.0.0.3.
The perceived destination is always from the perspective of the requesting computer. As it shows in the diagram, even though 10.0.0.4 has become the real-time destination for traffic from 10.0.0.1, the destination for all traffic (as far as the requesting host knows) is 10.0.0.3.
Port forwarding and proxies.
It probably won’t surprise you to learn that Web proxies use a port-forwarding service. Similar to the above home-network example, Web proxy servers use port forwarding to prevent direct contact between clients and the wide-open world of the Internet. When a proxy or VPN receives your online activity (an email sent or a request to see a website), it inspects and rewrites data packets of your transmission before it moves them to and from their Internet destinations.