I think I have finally figured it out -
http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html
says that "-j REDIRECT" is just a shortcut for "-j DNAT" with destination address being the one of the interface:
"There is a specialized case of Destination NAT called redirection: it is a simple convenience which is exactly equivalent to doing DNAT to the address of the incoming interface."
And in my case that just can not work, because my CentOS 7 server has 4 IP addresses.
(I am sorry, that I haven't mentioned it, because I didn't think it would matter).
At "eth0" port 80 I have Apache+WordPress (which can drop root rights).
And at "eth0:1" port 8080 I run Jetty (which can not drop root rights). But I need Jetty at port 80 (so that websockets work for corporate users behind proxies) and I want it to run as user "nobody".
So I have created a custom systemd service file /etc/systemd/system/websocket-handler.service to start Jetty:
[Unit] Description=WebSocket Handler Service After=network-online.target
[Service] Type=simple User=nobody Group=nobody ExecStart=/usr/bin/java -classpath '/usr/share/java/jetty/*' de.afarber.MyHandler 144.76.184.151:8080 ExecStop=/bin/kill ${MAINPID} SuccessExitStatus=143
[Install] WantedBy=multi-user.target
And now I have figured out, how to redirect the incoming requests with net.ipv4.ip_forward=1 in /etc/sysctl.conf and with the following /etc/sysconfig/iptables:
*filter :INPUT DROP :OUTPUT ACCEPT :FORWARD DROP -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -p tcp -m state --state NEW -m multiport --dports 25,80,443,8080 -j ACCEPT -A INPUT -p tcp -m state --state NEW --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 2/min --limit-burst 1 -j ACCEPT -A FORWARD -p tcp --dst 144.76.184.154 --dport 8080 -j ACCEPT COMMIT
*nat :INPUT ACCEPT :OUTPUT ACCEPT :PREROUTING ACCEPT :POSTROUTING ACCEPT -A PREROUTING -p tcp --dst 144.76.184.154 --dport 80 -j DNAT --to-destination 144.76.184.154:8080 COMMIT
The only thing that I don't understand is if
:INPUT ACCEPT :OUTPUT ACCEPT :PREROUTING ACCEPT :POSTROUTING ACCEPT
is ok (and what it means here) or if I should use DROP.
I have tried few combinations... but I am not sure
Thank you Alex