49
5.4.
Port Forwarding
Port forwarding is a name given to the combined technique of:
1.
Translating the address and/or port number of a packet to a new
destination.
2.
Possibly accepting such packet(s) in a packet filter (firewall).
3.
Forwarding the packet according to the routing table.
To illustrate its concept, two computers on the Internet that communicate with
each other using TCP/IP or UDP/IP protocols(though the process is not limited to
these) utilize ports to identify the opposite connection points of each other where
the data packets supposed to go to. In order to communicate, each computer
knows the port of another computer (in addition to IP address) and sends the data
to that port. Port forwarding forwards these ports in such a way that when one
computer sends data to the specific port of another computer, the data is actually
sent to a different port. This allows remote computers to connect to a specific
computer or service within a private LAN.
In a typical residential network, nodes obtain Internet access through a DSL or
cable modem connected to a router or network address translator (NAT/NAPT).
Hosts on the private network are connected to an Ethernet switch or communicate
via a wireless LAN. The NAT device's external interface is configured with a public
IP address. The computers behind the router, on the other hand, are invisible to
hosts on the Internet as they each communicate only with a private IP address.
When configuring port forwarding, the network administrator sets aside one port
number on the gateway for the exclusive use of communicating with a service in
the private network, located on a specific host. External hosts must know this port
number and the address of the gateway to communicate with the network-internal
service.
When used on gateway devices, a port forward may be implemented with a single
rule to translate the destination address and port. The source address and port are,
in this case, left unchanged. When used on machines that are not the default
gateway of the network, the source address must be changed to be the address of
the translating machine, or packets will bypass the translator and the connection
will fail.