Logo Light

Network

Web Apps

System

Cloud

Cryptography

IoT

Exercise 8: Configuring NAT and Port Forwarding

by | Jan 8, 2025

Objective

Learn how to configure Network Address Translation (NAT) and set up port forwarding to expose internal services to external networks while understanding the associated security risks.

Scenario

You are a network administrator setting up a web server on a private network that needs to be accessible from the internet. To achieve this, you need to configure NAT and port forwarding on a router or virtual machine acting as a gateway. This exercise will guide you through setting up and testing this configuration and understanding the security implications.

⚠️ Important: This exercise should be performed in a controlled lab environment. Improper exposure of internal services can lead to security risks.

Lab Instructions

Step 1: Set Up the Lab Environment

  • Router/NAT Gateway: A physical router or Linux-based virtual machine.
  • Internal Web Server: A Linux machine running a web server (e.g., Apache or Nginx).
  • External Client: A separate machine to test connectivity.

Step 2: Configure NAT on the Gateway

Enable IP forwarding on the Linux gateway: 

sudo sysctl -w net.ipv4.ip_forward=1

Make this setting permanent: 

echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf 
sudo sysctl -p

Set up NAT using iptables: 

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

eth0 is the external network interface.

Step 3: Install and Configure the Web Server

On the Internal Web Server, install and start a web server: 

sudo apt update 
sudo apt install apache2 -y 

sudo systemctl start apache2 

sudo systemctl enable apache2

Verify the web server is running: curl http://localhost

Step 4: Configure Port Forwarding

Forward HTTP traffic from the gateway to the internal web server: 

sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.100:80 
sudo iptables -A FORWARD -p tcp -d 192.168.1.100 --dport 80 -j ACCEPT

Replace 192.168.1.100 with the internal web server’s IP.

This forwards external traffic from port 8080 to the internal server’s port 80.

Step 5: Test the Configuration

From the External Client, access the web server via the gateway’s external IP: 

curl http://<gateway-public-ip>:8080

You should see the default Apache welcome page.

Step 6: Persist iptables Rules

To ensure rules persist after reboot: 

sudo apt install iptables-persistent -y 
sudo netfilter-persistent save 
sudo netfilter-persistent reload

Solution & Explanation

How NAT and Port Forwarding Work

  • NAT (Network Address Translation): Translates private internal IP addresses to a public IP.
  • Port Forwarding: Directs external traffic on specific ports to internal services.

Example Setup

  • Gateway Public IP: 203.0.113.1
  • Internal Web Server IP: 192.168.1.100
  • Forwarded Port: External port 8080 → Internal port 80

Access Flow

  1. External client sends a request to 203.0.113.1:8080.
  2. The gateway forwards the request to 192.168.1.100:80.
  3. The web server responds through the gateway.

Testing & Verification

Successful Connection: Accessing http://<gateway-public-ip>:8080 loads the web server’s default page.

Firewall Checks: Ensure firewall rules allow traffic on port 8080.

Logs: Check web server logs to verify incoming connections: 

sudo tail -f /var/log/apache2/access.log

Security Implications

  • Exposed Ports: Open ports can be targeted by attackers. Limit exposure to only necessary services.
  • Access Control: Implement firewall rules to restrict access to trusted IPs.
  • Vulnerability Management: Regularly update the web server and apply security patches.
  • Intrusion Detection: Monitor for unusual activity using IDS/IPS solutions.

Additional Script (Optional)

Automate NAT and port forwarding setup:

#!/bin/bash
# Enable IP forwarding
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

# Configure NAT and Port Forwarding
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.100:80
sudo iptables -A FORWARD -p tcp -d 192.168.1.100 --dport 80 -j ACCEPT

# Save iptables rules
sudo netfilter-persistent save

Run the script:

chmod +x nat_port_forwarding.sh
sudo ./nat_port_forwarding.sh

Conclusion

In this exercise, you configured NAT and port forwarding to expose a web server to an external network. You also tested connectivity and learned about the security risks of open ports. Understanding NAT and port forwarding is essential for securely managing network traffic and protecting internal services.

0 Comments