A port forwarding (English port forwarding ) is forwarding a connection, via a computer network to a specific port is received, to another computer . Since the corresponding network service is not provided by the forwarding computer itself, the term virtual server is misleading.
The incoming data packets are masked by Destination NAT and the outgoing packets by Source NAT (the destination and source addresses are replaced) in order to forward the request to the actual server and its response to the original client. For the server and client, this creates the impression that the incoming packets came from the computer that does the port forwarding.
Port forwarding through router
A router that is connected to a private local network and the Internet , for example , waits for data packets on a specific port. When packets arrive at this port, they are forwarded to a specific computer and possibly another port in the internal network. All data packets from this computer and port, if they belong to an incoming connection, are changed via Network Address Translation (NAT) so that in the external network it appears that the router is sending the packets.
Port forwarding makes it possible for computers within a LAN - which are not directly accessible from an external network - to act as servers outside of this network , especially on the Internet , as they can thus be clearly addressed via a specified port (and using NAT ) be made.
For all computers in the external network, it looks as if the router offers the server service. That this is not the case can be seen from header lines or packet delay analyzes.
Example: A larger company has a local network with several external servers (Internet) via an ADSL router under one IP address (e.g. 184.108.40.206). Now a client from the external network (Internet) would like to use a service (e.g. HTTP / TCP port 80) on a company server. However, he can only address the company's ADSL router for the service (HTTP / TCP port 80) under the IP address known to him (220.127.116.11). The company's ADSL router forwards the request for the service (HTTP / TCP port 80) to the corresponding server in the local network.
Port forwarding is therefore required if no port address translation (PAT) is possible, since the first request comes from outside (e.g. the Internet) and several servers can only be addressed from outside using one IP address.
Port forwarding to improve security
Another application example for port forwarding is securing a channel for the transmission of confidential data. Port A on computer 1 is linked to port B on computer 2 by a connection maintained in the background between two other ports on the two computers. This is also known as tunneling .
For example, an insecure POP3 connection (user name and password are usually transmitted in clear text) can be secured by transporting it in an SSH channel: Port 113 on the POP server is SSHed to port 113 of the local computer of the Forwarded to the user. The local e-mail program now communicates with the local port ( localhost : 113) instead of the server's port (pop.example.org:113). The SSH channel transports the data in encrypted form via the parallel SSH connection between the two addresses. This makes it almost impossible for a third party who is listening in to the password. A prerequisite for an SSH tunnel is at least restricted SSH access on the server (pop.example.org), which private users are usually not allowed to do.
With port triggering , both the ports via which the data of the program are sent to the outside and via which ports the responses are received are specified. Port triggering thus expands the technology of simple port forwarding. If a computer sends data to the Internet via an application whose ports have been specified in port triggering, the router saves the IP address of this computer and forwards the incoming response packets accordingly to this IP address (back). The forwarding takes place in each case to the IP address from which the request came, without this being stored in the configuration. However, even with this technology it is not possible to forward incoming connections on one port to several computers at the same time.
With port forwarding, the port is always open, even if the service is not used. In contrast, port triggering only allows incoming data traffic after a computer has sent a request to the Internet from the local network and automatically closes the port again after a certain period of inactivity. This has two advantages:
- Increased security: The incoming ports are not open permanently.
- Forwarding no longer needs to be configured: It is no longer necessary to specify fixed internal IP addresses for forwarding the ports, since this IP address can be determined by the outgoing data traffic on the trigger port.
If port triggering is assigned to a port on which VoIP is operated, it is possible that the VoIP service can only be reached if an outgoing call has been made beforehand. As soon as the port is closed again (see above) it is again not possible to receive incoming calls. Some VoIP end devices therefore support the maintenance of forwarding by sending pseudo data packets.