In Microsoft Windows, starting from Windows XP, there is a built-in ability to set up network ports forwarding (port forwarding). Due to it, any connection coming to any port can be forwarded to another local port or even to port on remote computer. Not necessarily that the system has a service listens on this port.
Port forwarding in Windows can be configured using Portproxy mode of the command Netsh. The syntax of this command is as follows:
netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport
where
- listenaddress is a local ip address waiting for a connection
- listenport listening port (the connection is waited on it)
- connectaddress is an IP address or DNS name to which the connection will be forwarded
- connectport is a TCP port to which the connection from listenport is forwarded to
Suppose, that our task is to make the RDP service to respond on a non-standard port, for example 3340 (the port can be changed in the settings of the service, but we will use RDP to make it easier to demonstrate forwarding).
Start the command prompt as an administrator and perform the following command:
netsh interface portproxy add v4tov4 listenport=3340 listenaddress=10.1.1.110 connectport=3389 connectaddress=10.1.1.110
Using netstat make sure that port 3340 is listened now
netstat -ano | findstr :3340
You can find out what process is listening to this port use its PID (in our example, the PID is 336):
tasklist | findstr 336
Let’s try to connect to this computer from a remote system using any RDP client. Port 3340 should be specified as the RDP port. (It is specified after the column following the RDP server address):
The connection should be established successful.
Display the list of forwarding rules in the system:
netsh interface portproxy show all
In our case there is only one forwarding rule from port 3340 to 3389:
Listen on ipv4: Connect to ipv4:
Address Port Address Port
--------------- ---------- --------------- ----------
10.1.1.110 3340 10.1.1.110 3389
Tip. Also, portproxy settings can be obtained as follows:
netsh interface portproxy dump
#========================
# Port Proxy configuration
#========================
pushd interface portproxy
reset
add v4tov4 listenport=3340 connectaddress=10.1.1.110 connectport=3389
popd
# End of Port Proxy configuration
To remove a forwarding rule:
netsh interface portproxy delete v4tov4 listenport=3340 listenaddress=10.1.1.110
To clear all current forwarding rules:
netsh interface portproxy reset
If you wont to forward an incoming TCP connection to another computer, the command can look like this:
netsh interface portproxy add v4tov4 listenport=3389 listenaddress=0.0.0.0 connectport=3389 connectaddress=192.168.100.101
This rule forwards all incoming RDP requests to the IP address 192.168.100.101
Another portproxy feature is an opportunity to make it look like any remote network service is operating locally.
For example, forward the connection from the local port 5555 to the remote address 157.166.226.25 (CNN website):
netsh interface portproxy add v4tov4 listenport=5555 connectport=80 connectaddress= 157.166.226.25 protocol=tcp
Now if you go to http://localhost:5555/ in your browser, CNN Start page will open. So despite the browser addresses the local computer, it opens a remote page.
Port forwarding can also be used to forward a port from an external address of a network card to a virtual machine port running on the same computer.
Hi, this is a good article.
I would like to ask if there is any mechanism to not only forward but also to copy data? For example, my server listen to TCP port 8845 and will do something when data comes in. I want to keep the original structure but in addition, to copy all coming data and then forward to another server via TCP port 8844. I know to write some codes can do it, but is there any built-in function in Windows Server 2012 can perform this?
Thank you.
George
Do you mean that some application on server processes some way the incoming network data and sends them over the network to another host or modified data is stored locally?
My scenario is: I have a server A to listen TCP 8845 port. There is a program installed in server A to process data when it detects data comes in. What I want to do is to keep the structure in server A, but make a copy to the original incoming data and then send it to server B using TCP 8844 port from server A.
I know we can just write a program to do it, but I want to know if there is any built-in functions in Windows Server 2012 can fulfill my demands.
Thanks.
You have to use rewrites. The easiest way I could do this was to set up an IIS server, download and install ARR, then configure AAR and “URL Rewrite” in the IIS Manager. Took about a day for a software engineer (sys admin novice) to do it and get everything straightened out.
Great write up!!! Do you know if connections going through the forwarded ports count towards the Windows 7 client connection limit of 20 concurrent connections? I’m looking to forward some traffic on my network so I can easily run scripts to redirect it if a downtime occurs but I need to know if I’m going to hit an upper limit of concurrent connections. THANKS!
thank you so so so so so much youjust saved me 8 hours of driving back to a computer i forgot
Excellent article.
I would like to isolate all incoming traffic destined for port 80 to say port 8080. But all locally originated traffic for port 80 as it is. Could you please let me know how this is possible (if at all) in WINDOWS server ?
Try to use the following command:
netsh interface portproxy add v4tov4 listenport=80 listenaddress=127.0.0.1 connectport=8080 connectaddress=127.0.0.1
Hi ,
i don’t understand how to forward the port ( 80 for examble ) to any ip and port .
Use following sintax:
netsh interface portproxy add v4tov4 listenaddress=[your_local_ip_adress] listenport=80 connectaddress=[any_ip_adress] connectport=[any_tcp_port]For example,
netsh interface portproxy add v4tov4 listenaddress=192.168.1.100 listenport=80 connectaddress=192.168.120.120 connectport=8080Thanks for this write-up! Been trying to figure out a particularly problematic issue with a legacy application and hoping maybe this can help.
Can this be used to redirect traffic originating on the local machine and directed to a particular IP address to instead send it to a different IP? For example, I have an application that is hard-coded to seek data in an archive at IP x.x.x.10, but the data has been moved and now resides at x.x.x.20 (and I can’t just re-IP the new archive location to make it x.x.x.10). Any thoughts on how to get the application’s requests, even though coming out of the application addressed to x.x.x.10, to instead be redirected and sent to x.x.x.20? Hope this makes sense…
Thanks for the quick and nice article. The double quotes in the firewall command appear unicode not ascii. My command line shell accepts both but makes the two names different.
THIS IS A GREAT WRITEUP!
However, question:
1) Does this work with IPv6?
2) When I’m connected to my VPN (w/ IPv6 enabled, all the ports that I have opened at my router and Win Firewall are now closed, eventho it says “listening on 0.0.0.0″. So, do I need to forward the ports from 0.0.0.0 to the Local LAN adapter, or from the IP address of the VPN adapter to the local LAN adapter? Kinda confused about this.
Thanks!
Is there any effective way to adjust Windows Firewall to whitelist IP addresses to the ports created with portproxy? My WF rules seem to have no effect.
i want to redirect traffic that goes from a local app to a specific remote address and force it to go to a specific port:
i tried something like:
netsh interface portproxy add v4tov4 listenaddress=[remote_address] connectport=[port_i_want_to_forward_to] connectaddress=[remote_address]
can i do something like this?
Very good post !! Thank you
Hi
Could I redirect 80 or 53 to other server?
Ex. My oficial site is hosted in a linux server with the same DNS name at AD server.
If I use primary DNS from AD server on stations, I can’t open my site and applicatons throug DNS hosted on second server.
Thanks
Hi
I did not understand, do you want to forward HTTP connections for internal clients from AD server to Linux?
PS. You can forward this way only TCP connections (DNS work over UDP potocol).
You are a legend. Thanks for the great article worked like a charm!