Hi List,
Thanks for the continuing flow of good suggestions on the iptables question. I think our client is now willing to side-step the issue (by using pound to load-balance), but I'm still of course curious from a technical perspective.
I'm still curious about how to do this, and even with everyone's very kind suggestions (thank you!), I'm still feeling no closer. At least the client is able to carry on with their work, but I wonder -- what I'm trying to do feels so easy, yet nothing is getting it working, so I'm curious what I'm missing.
Various replies to the many suggestions below.
Feizhou asked: What are you trying to achieve? Transparent proxying? Bob asked: Why do you want to redirect the HTTP traffic to the same box?
So that jboss can be installed under a "vanilla" user account without needing any superuser privileges, and so that the box doesn't have to be configured in any way other than the iptables rule. Running on localhost (or some 10.x.x.x IP) further removes any chance of direct port 8080 access (by some other admin accidently messing up a firewall rule).
John Pierce suggested: I ran in similar troubles trying to redirect ports to another host; for me the solution was to use xinetd...
This might work for pop, where you're forking off a process for each connection; but in http, I would think that would impose a heavy penalty -- woudln't this cause the server to start another java process for every http request?
Pitshou suggested trying: iptables -t nat -A PREROUTING -p tcp -i eth0:0 --dport 80 -j REDIRECT --to-ports 8080
iptables spits out an error on this -- maybe virtual interfaces aren't supported? -- and the "to-ports" bit doesn't specify 127.0.0.1, and since nothing is listening on port 8080 except on localhost, well... the packets don't seem to flow. Rewriting this rule to: iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j REDIRECT --to-ports 127.0.0.1:8080 causes the packet to flow in, but tcpdump doesn't show any reply packet in the tcp/ip handshake.
Robert suggested: iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to- ports 8080
This, also, seems to miss getting the packet over to localhost. Twiddling it to "iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 127.0.0.1:8080" yields the same results as above (not surprising, as it's the same rule, sans the interface restriction.)
Dan suggested: If you Google: tomcat "port 80" iptables you'll narrow it down a bit
Thanks! Alas, similar results. I stepped through a number of these suggestions, which amount to things similar to the prerouting/ redirect rules, or various combinations of snat/dnat rules.
Ray suggested: You may need to also SNAT to 127.0.0.0/8 as well to make this work... something like: iptables -A PREROUTING -t nat -p tcp -m tcp -i eth0 -d 64.61.61.112 --dport 80 -j DNAT --to 127.0.0.1:8080 iptables -A POSTROUTING -t nat -p tcp -m tcp -o lo -d 127.0.0.0 -- dport 8080 -j SNAT --to 127.0.0.1 [and suggested twiddling of reject rules and checking forward rules]
Alas, same results.
As a sanity check, I've confirmed that on localhost I can telnet 8080 and issue an http request -- which works fine.
What am I missing?
Thanks, everyone! -Jeff