Thursday 15 September 2011

Port Forwarding

I am sure everyone has heard about hosting a webserver, or an online game session.or this kind of hosting to work, you need your machine to be constantly LISTENING to incoming connection requests from various IP addresses.


Nearly all of us access the internet through a router, which means that the router must know how and where to redirect the incoming connection requests. This is accomplished by the use of port forwarding. But before we go on to discuss the process of port forwarding, we need to understand, what exactly a port is, and why is it needed.


Consider a highway which has several lanes. Each lane allows the entry of only a specific kind of vehicle (bicycles, two wheelers, cars, heavy vehicles). Different vehicles need to move through different lanes in order for the system to work efficiently and smoothly.


This is exactly the kind of system that computers follow as well. Every packet of data that is transferred between computers has a source IP address, source port number, destination IP address and destination port number. The port numbers are analogous to the lanes on a highway.


It might seem that this “PORT” that we are talking about is a physical entity located somewhere on our machine. But this is not so. These are part of the communication model adopted by computers and are universally used.


Now, let us understand a bit of networking basics. “Every machine on the internet has a unique IP address.” This is a very commonly used statement. While it is true, it is important to understand what is meant by “being” on the internet. In our homes, we use a DSL router to connect to the internet. Essentially, the unique IP address we are talking about belongs to the router and not to the computers that are connected to the router. This brings us to the question, how are we accessing the internet through our computer which does not have an IP address? The answer lies in the concept of External and Internal IP addresses.


The router has an external IP address which is its address on the internet. It also has an internal IP address which it uses to form a LAN. This LAN is the one to which computers are connected. Every packet of data that is sent from the web to our computer, has the website’s IP address as the source IP address and the router’s IP address as the destination address. The router then acts very intelligently, relaying that data to the computer by using the computer’s LAN IP address as the destination address and the router’s internal address as the source address. The computer then responds back to the router which in turn, sends the response to the website.


Now with this understanding, let us move to the procedure of port forwarding. The forwarding process can be divided into the following stages:

  1. Searching for the port number that is to be forwarded.
  2. LAN IP address of the computer to which the ports need to be forwarded.
  3. Setting up the router to forward the ports.
  4. Configuring the firewall to accept incoming connections on the specified port.
We shall see the process for both Windows and Linux Operating Systems.


1. Port Number

We need to setup a system such that any incoming requests on a specific port on the router are redirected correctly to the computer (in the LAN) which they are intended for. The ports are numbered from 0-65535. So, first of all, we need to know the port number. Some very well-known ports are 80 for HTTP, 443 for HTTPS, 23 for Telnet. The complete list can be found on this link.

Generally, the application/service that you are willing to run will let you know the port number that is to be used.


2. LAN IP Address

Now, we need to know the LAN IP address of the machine that we are trying to redirect the connections to. For this, it is better that the IP addresses in the LAN are assigned manually rather than being assigned automatically as this might lead to different IP address each time the computer is connected to the router.


In windows, go to command prompt and type "ipconfig" to know the IP and related details of the computer. Note down the IPv4 address.


For Linux, open up terminal and type "ifconfig". Note down the IP address of the adapter that you use to connect to the internet.


3. Forwarding ports on the Router

In your web browser, type the address of your router page (this is the internal IP address of your router; usually 192.168.1.1 or 10.0.0.1). Log into the router and look for a tab which says NAT/ port forwarding/virtual servers. Click on “Add a Virtual Server”. Once you are there, select a name for the port forward (any random name, you might want to make it application-specific so that it is easy to remember). Now select the type of protocol you would like to use, TCP or UDP. This depends on the application to which the ports are being forwarded (Most applications will have a feature to let you know what protocol is needed). Enter the port number you want to forward. One can also forward a complete a range of ports by specifying the starting and ending port number. The screen shot shows ports 27000-27015 being forwarded. Now, specify the IP address of the computer to which you want to forward ports.



4. Configuring the Firewall

As can be seen, port forwarding allows a kind of doorway to our computer. Any open port can be used to connect to the computer (although it is not easy) and this leaves it susceptible to attacks. To prevent such attacks, a firewall is pre-installed in Windows. This firewall blocks any such incoming connections. So, we need to configure the firewall to allow incoming connections to reach our hosting application.


On windows, open up your firewall application (I used the pre-installed Windows Firewall) and go to "INCOMING CONNECTION RULES". Click on the "NEW RULE" button, and select the option which says create a rule for "TCP/UDP" ports. Enter the port number. Then, select the option “Allow the connection”. Then select the kind of network you want to allow connection in. For ex, you may want to allow connections at your home network, but not in public place like a coffee shop. So, choose accordingly (The network type is specified each time you connect to a new network and can be changed by going to Control Panel -> Network and Sharing Centre).
Another feature which comes in handy is to allow the use of ports to selective users on the computer only. This can be done by choosing “allow connections which are secure” and then specifying the users to which the rule applies.
On Linux, there is a pre-installed firewall ‘ufw’ which is accessible through the terminal.
Firstly, make sure that the firewall is enabled by typing the following command.



sudo ufw status


This command will show whether the firewall is enabled or disabled.
If the firewall is disabled, you will need to enable it using the following command.

sudo ufw enable

Next, we must put in place a rule to allow incoming connections on the desired port. The syntax for creating such a rule is:

sudo ufw allow <port>/<optional: protocol>


For eg: If we need to allow access to TCP port 27000 from any IP address, we type:

sudo ufw allow 27000/tcp

Now, to confirm that the rule has been added, we can again type the ‘status’ command to check for all the rules that exist.

sudo ufw status

This will list all the firewall rules that exist in ‘ufw’.
For a whole set of handy ‘ufw’ commands, visit the Ubuntu Help Community page.

To monitor all the ports which are being used by the computer at any point, go to command Prompt/Terminal and type “netstat” (works for both Windows and Linux). This will show all the ports currently in use along with their local address.
Now, we are on the last hurdle. How do we check if all the port forwarding and firewall configurations that we have put in place are working? Here is a small Windows tool which does just that.
Another good utility to check if the whole port forwarding setup is working can be found at:­­
http://canyouseeme.org/
This utility is an online one and works for both Windows and Linux.


NOTE: Please make sure that you have an application/service running on the port which you are checking using the online utility. If no application is running, the incoming data packets will not be responded to and the online utility will fail to recognize the port as ‘OPEN’.
The PFPortChecker utility will work because it itself runs on the port which is to be checked and will therefore, show the port as ‘OPEN’ even if no service is configured to run on the port.


No comments:

Post a Comment