How to Set Up Port Forwarding on Windows and Linux: Step‑by‑Step Guide

Servers often have multiple NICs and may need to forward packets between isolated networks; configuring port mapping enables this functionality.

1. Windows Port Mapping

1. Query port mapping netsh interface portproxy show v4tov4 2. Query mappings for a specific IP

netsh interface portproxy show v4tov4 | find "[IP]"

Example:

netsh interface portproxy show v4tov4 | find "192.168.1.1"

3. Add a port mapping

netsh interface portproxy add v4tov4 listenaddress=[ExternalIP] listenport=[ExternalPort] connectaddress=[InternalIP] connectport=[InternalPort]

Example:

netsh interface portproxy add v4tov4 listenaddress=2.2.2.2 listenport=8080 connectaddress=192.168.1.50 connectport=80

4. Delete a port mapping

netsh interface portproxy delete v4tov4 listenaddress=[ExternalIP] listenport=[ExternalPort]

Example:

netsh interface portproxy delete v4tov4 listenaddress=2.2.2.2 listenport=8080

2. Linux Port Mapping

1. Enable packet forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -A FORWARD -i [InternalInterface] -j ACCEPT
iptables -t nat -A POSTROUTING -s [InternalSubnet] -o [ExternalInterface] -j MASQUERADE

Example:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -A FORWARD -i ens33 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.50.0/24 -o ens37 -j MASQUERADE

2. Set up port mapping

iptables -t nat -A PREROUTING -p tcp -m tcp --dport [ExternalPort] -j DNAT --to-destination [InternalIP]:[InternalPort]

Example:

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 6080 -j DNAT --to-destination 10.0.0.100:6090

Experiment: Mapping an Internal Service to the External Network

Environment

VMware Workstation Pro

Five minimal CentOS 7 virtual machines

Topology

Server4 has two NICs connecting the internal network (192.168.50.0/24) and the external network (172.16.2.0/24). Server1, Server2, and Server3 are internal servers; Server4 acts as the gateway.

Configure Services

1. Deploy simple HTTP servers on Server1‑3

cd ~
echo "server1" > index.html
python -m SimpleHTTPServer 8080

Baseline Test

From the client, curl each internal server directly:

curl http://192.168.50.11:8080/index.html
curl http://192.168.50.12:8080/index.htm
curl http://172.16.2.11:8080/index.html

Result: the client cannot reach the internal servers from the external network.

Configure Port Mapping on Server4

Temporary configuration

# Enable packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -A FORWARD -i ens33 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.50.0/24 -o ens37 -j MASQUERADE
# Set port mapping
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 8081 -j DNAT --to-destination 192.168.50.11:8080
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 8082 -j DNAT --to-destination 192.168.50.12:8080

For permanent configuration, append the same commands to /etc/rc.local.

Verify

From the client, access the mapped ports:

curl http://172.16.2.100:8081/index.html
curl http://172.16.2.100:8082/index.html
curl http://172.16.2.11:8080/index.html

Windows Alternative

Replace the Linux commands with equivalent netsh commands on a Windows Server4:

netsh interface portproxy add v4tov4 listenaddress=172.16.2.105 listenport=8081 connectaddress=192.168.50.11 connectport=8080
netsh interface portproxy add v4tov4 listenaddress=172.16.2.105 listenport=8082 connectaddress=192.168.50.12 connectport=8080
netsh interface portproxy show v4tov4

Windows NIC details:

NIC

IP Address

Subnet Mask

Gateway

Note

Ethernet0

192.168.50.105

255.255.255.0

-

Internal NIC

Ethernet1

172.16.2.105

255.255.255.0

-

External NIC

After applying the configuration, the client can reach the internal HTTP services via the external IP and the mapped ports.