Port forwarding, also referred to as tunneling, is essentially the process of intercepting traffic bound for a certain IP/port combination and redirecting to a different IP and/or port. This redirection may be accomplished by an application running on the destination host, or it may be performed by intermediate hardware, like a router, proxy server or firewall.
Normally, a routing device will look at the header of a packet and simply send it to the appropriate interface to reach the destination it finds in the header. In port forwarding, however, the intercepting application or device reads the packet header, notes the destination, but rewrites the header information and sends it to a another host destination, different from the one requested. That host destination may be a different IP using the same port, a different port on the same IP, or completely different combination of the two.
In the example below, 10.0.0.1 sends a request to 10.0.0.3 on port 80. An intermediate host, 10.0.0.2, intercepts the packets sent by 10.0.0.1. It rewrites the packet headers and sends them on to 10.0.0.4 on port 8080:
10.0.0.1 | --> | 10.0.0.2 | --> | 10.0.0.4 |
| Makes a request to | | Actually sends to | |
| 10.0.0.3:80 | | 10.0.0.4:8080 | |
The host 10.0.0.4 responds to the request, and sends the response to 10.0.0.2. The host 10.0.0.2 rewrites the packet, indicating that the response is from 10.0.0.3, and sends them to 10.0.0.1:
10.0.0.4 | --> | 10.0.0.2 | --> | 10.0.0.1 |
| Sends its respond to | | Forwards the response to | |
| 10.0.0.2:8080 | | 10.0.0.1:80 | |
As far as 10.0.0.1 is concerned, it has sent a request to 10.0.0.3 on port 80 and received a response back from 10.0.0.3 on port 80. This is not what has happened; the traffic has never actually touched 10.0.0.3. However, because of the way the packets have been rewritten, 10.0.0.1 sees that it has gotten a response from 10.0.0.3.
The important thing to remember in port forwarding is that the destination is always from the perspective of the requestor. Even though 10.0.0.4 is the destination for the traffic from 10.0.0.1 in the diagram, the destination for all traffic from the requestor's perspective is 10.0.0.3.
Port forwarding is extensively used to keep unwanted traffic off networks. It allows administrators to use one IP address for all external communications on the Internet while dedicating multiple servers with different IPs and ports to the task internally. This is very useful for home network users, who may wish to run an FTP server, a Web server and a gaming server on one network. Users with this type of need can set up a single public IP address on the router to translate requests to the proper server on the internal network. This arrangement has the advantage of hiding exactly what services are running on the network, using only IP address to accomplish multiple tasks, and dropping all traffic at the firewall that is unrelated to the services provided.
Web proxies also provide a port forwarding service. Like the above home network example, Web proxy servers use port forwarding to prevent direct contact between clients and the Internet. A Web proxy will inspect and rewrite packets moving to and from Internet destinations, allowing network administrators to control access to restricted sites, log accesses and protect internal clients from external threats like port scanning.
Port forwarding can additionally be used send otherwise insecure TCP traffic through a secure SSH connection (also called a tunnel). This connection can be used to encrypt any type of TCP traffic, including HTTP, POP3, SMTP and FTP. A client on the requestor connects to a service running on the destination host, and this creates an encrypted tunnel through which traffic may pass securely.
Port forwarding is an excellent way to preserve public IP addresses, protect servers and clients from unwanted access, "hide" the services and servers available on a network, and limit access to and from a network. It has the benefit of being transparent to the end user while adding an extra layer of security to networks.