How to Configure Port Mapping on Windows and Linux – Step‑by‑Step Guide

Background

Servers often have multiple network interfaces and may need to forward traffic between isolated networks. By configuring port mapping, a host can act as a gateway that redirects incoming requests to internal services.

Windows Port Mapping with netsh

View existing mappings netsh interface portproxy show v4tov4 Filter mappings for a specific IP

netsh interface portproxy show v4tov4 | find "192.168.1.1"

Add a new mapping

netsh interface portproxy add v4tov4 listenaddress=2.2.2.2 listenport=8080 connectaddress=192.168.1.50 connectport=80

Delete a mapping

netsh interface portproxy delete v4tov4 listenaddress=2.2.2.2 listenport=8080

Linux Port Mapping with iptables

Enable packet forwarding

echo 1 >/proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -j MASQUERADE

iptables -A FORWARD -i ens33 -j ACCEPT

iptables -t nat -A POSTROUTING -s 192.168.50.0/24 -o ens37 -j MASQUERADE

Set up DNAT rule

iptables -t nat -A PREROUTING -p tcp --dport 6080 -j DNAT --to-destination 10.0.0.100:6090

Experiment: Mapping an Internal Service to the External Network

Lab Environment

VMware Workstation Pro

Five minimal CentOS 7 VMs (Server1, Server2, Server3, Server4, client)

Server4 has two NICs: 192.168.50.0/24 (internal) and 172.16.2.0/24 (external). Server1 and Server2 reside in the internal network, Server3 in the external network.

Deploy HTTP services

cd ~</code>
<code>echo "server1" > index.html</code>
<code>python -m SimpleHTTPServer 8080

Repeat the same steps on Server2 and Server3.

Baseline test from the client

curl http://192.168.50.11:8080/index.html

curl http://192.168.50.12:8080/index.htm

curl http://172.16.2.11:8080/index.html

All attempts fail because the client cannot reach the internal servers directly.

Configure port mapping on Server4 (Linux)

Temporary configuration

# enable forwarding</code>
<code>echo 1 >/proc/sys/net/ipv4/ip_forward</code>
<code>iptables -t nat -A POSTROUTING -j MASQUERADE</code>
<code>iptables -A FORWARD -i ens33 -j ACCEPT</code>
<code>iptables -t nat -A POSTROUTING -s 192.168.50.0/24 -o ens37 -j MASQUERADE</code>
<code># DNAT rules</code>
<code>iptables -t nat -A PREROUTING -p tcp --dport 8081 -j DNAT --to-destination 192.168.50.11:8080</code>
<code>iptables -t nat -A PREROUTING -p tcp --dport 8082 -j DNAT --to-destination 192.168.50.12:8080

For a permanent setup, append the same commands to /etc/rc.local.

Verify the mapping

curl http://172.16.2.100:8081/index.html

curl http://172.16.2.100:8082/index.html

Both commands return the content served by Server1 and Server2 respectively, confirming that external clients can now reach the internal services through Server4’s NAT rules.

Windows alternative for Server4

If Server4 runs Windows, use the equivalent netsh commands:

netsh interface portproxy add v4tov4 listenaddress=172.16.2.105 listenport=8081 connectaddress=192.168.50.11 connectport=8080</code>
<code>netsh interface portproxy add v4tov4 listenaddress=172.16.2.105 listenport=8082 connectaddress=192.168.50.12 connectport=8080</code>
<code>netsh interface portproxy show v4tov4

Server4’s network interfaces are:

Ethernet0 – 192.168.50.105/255.255.255.0 (internal)

Ethernet1 – 172.16.2.105/255.255.255.0 (external)