Skip to main content

Below are instructions for how to set up port forwarding on various Linux distributions using the firewall. The example uses port 5901 (default VNC port) as the destination and port 443 (default HTTPS port) as the source. This setup would let you connect to VNC over port 443 instead without changing the VNC configuration.

Red Hat/CentOS 7 use firewalld as the default firewall application:

1) Login to the root account

su -

2) Install firewalld

yum install -y firewalld

3) enable and start firewalld

systemctl enable firewalld
systemctl start firewalld

4) add rule to allow port 22 for ssh

firewall-cmd --permanent --add-port=22/tcp

5) add rule to forward port 443 to port 5901

firewall-cmd --permanent --add-forward-port=port=443:proto=tcp:toport=5901

6) reload the firewall

firewall-cmd --reload

Ubuntu*/Debian systems can use ufw as a firewall for port

1) Login to the root account

su -

2) Make sure ufw is installed and enabled

apt-get install -y ufw
update-rc.d ufw enable
service ufw start

3) Edit the /etc/ufw/before.rules. Add the below lines to the top of the file and save the file

-A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 5901

5) Allow connections on the needed ports in ufw (note 22 is for ssh and just included so you can ssh back to the server)

ufw allow 22
ufw allow 443
ufw allow 5901

6) Enable ufw

ufw enable

7) Reboot the server


*Note that Ubuntu 16 uses systemd so use systemctl to start/enable the firewall instead of the service command.

Distribution agnostic solution:

This solution uses iptables which is built into the Linux Kernel so is available on all distributions of Linux. Modern Distributions ‘mask’ iptables so you will not be able to save this port forwarding solution past your current session (so you would need to re-enter it every time you start/reboot the server, even with the iptables-save command), but this way you can see how to accomplish this on any system. You can also un-mask iptables if you want to use it instead of firewalld or other firewall applications.

Login as root then enter the below two commands

iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 5901

A breakdown of the command so you can modify it for other services/ports if you find the need.

  • “iptables” This is a firewall/routing application that is built into the Linux kernel so is on every Linux system. It is a very complicated program and is not very easy to learn (at least for me and in comparison to modern firewall applications). So instead most modern distributions come with a firewall application that ‘masks’ iptables and has easier to use/mange commands that then adjust the iptables rules for you. Firewalld used above is one that is a part of the systemd stack and is standard for Red Hat/CentOS.
  • “-t nat” This says you’re modifying the nat ‘table’. There are multiple tables that iptables can modify. Nat is for when new connections are made.

  • “-A PREROUTING” This says to append the rule to the end of the PREROUTING chain. Appending just means you’re adding it without overwriting any existing rules. The PREROUTING chain is a list of rules to apply before routing new connections. Since we want to forward from one port to a new one, we need the rule to take effect before it has been routed.

  • “-p tcp” This says we’re looking for tcp packets. There’s a few different types you can choose from (tcp or udp being the most common). VNC is a tcp connection so that’s what we need for this example.

  • “–dport 443” Packets with destination 443 are the target.

    You can change this if you want to connect using a different port on your computer.

  • “-j REDIRECT” stands for “jump REDIRECT” which means the action is a REDIRECT. So when a packet is found that matches port 443/tcp we are going to redirect it

  • “–to-port 5901” Pretty autological. We are going to redirect it to port 5901. If you want to redirect to different service you can change this to whatever the normal port for that service is.

  • “iptables-save” This just saves the configuration so it will persist through a reboot of the server.

Comments are disabled for this guide.