Good evening,
on a CentOS 7 LAMP (not gateway) dedicated server I am using iptables-services with the following /etc/sysconfig/iptables:
*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [294:35064] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 25,80,443,8080 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 2/min --limit-burst 1 -j ACCEPT COMMIT
Also I am running Jetty as user "nobody" at the port 8080 using the /etc/systemd/system/websocket-handler.service file:
[Unit] Description=WebSocket Handler Service After=network-online.target
[Service] Type=simple User=nobody Group=nobody ExecStart=/usr/bin/java -classpath '/usr/share/java/jetty/*' de.afarber.MyHandler 144.76.184.151:8080 ExecStop=/bin/kill ${MAINPID} SuccessExitStatus=143
[Install] WantedBy=multi-user.target
However I actually need my Jetty program to run at port 80 - so that users behind corporate firewalls can connect too.
The Jetty doc at https://www.eclipse.org/jetty/documentation/current/setting-port80-access.ht... suggests to run the command
# iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
but I can not figure out the corresponding line for the /etc/sysconfig/iptables
I have tried running the above command and then "iptables -S" to see the added rule, but that didn't really work.
Thank you Alex
Am 20.06.2016 um 21:01 schrieb Alexander Farber:
Good evening,
on a CentOS 7 LAMP (not gateway) dedicated server I am using iptables-services with the following /etc/sysconfig/iptables:
*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [294:35064] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 25,80,443,8080 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 2/min --limit-burst 1 -j ACCEPT COMMIT
[ ... ]
# iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
but I can not figure out the corresponding line for the /etc/sysconfig/iptables
You will be surprised how easy it is to save the current ruleset:
/usr/libexec/iptables/iptables.init save
I have tried running the above command and then "iptables -S" to see the added rule, but that didn't really work.
Thank you Alex
Regards
Alexander
On Mon, Jun 20, 2016 at 10:01 PM, Alexander Farber alexander.farber@gmail.com wrote: <cut>
However I actually need my Jetty program to run at port 80 - so that users behind corporate firewalls can connect too.
The Jetty doc at https://www.eclipse.org/jetty/documentation/current/setting-port80-access.ht... suggests to run the command
# iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
but I can not figure out the corresponding line for the /etc/sysconfig/iptables
I have tried running the above command and then "iptables -S" to see the added rule, but that didn't really work.
Thank you Alex
Hi,
you can add the rule and then run "service iptables save" - it will save the current rules in /etc/sysconfig/iptables
when you run "iptables" or "iptables -S", it prints only the filter chain by default. Try "iptables-save" - it prints all rules. The other option is "iptables -t nat -L -n" or "iptables -t nat -S"
Hope it helps.
Regards,
Hello again,
unfortunately the following /etc/sysconfig/iptables file does not work:
*nat :INPUT ACCEPT :OUTPUT ACCEPT :PREROUTING ACCEPT :POSTROUTING ACCEPT #-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 -A PREROUTING -p tcp -m tcp -d 144.76.184.154/32 --dport 80 -j REDIRECT --to-ports 8080 COMMIT
*filter :INPUT DROP :OUTPUT ACCEPT :FORWARD DROP -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A INPUT -p tcp -m tcp -m state --state NEW -m multiport --dports 25,80,443,8080 -j ACCEPT -A INPUT -p tcp -m tcp -m state --state NEW --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 2/min --limit-burst 1 -j ACCEPT COMMIT
I need incoming HTTP-connections to 144.76.184.154:80 to be redirected to 144.76.184.154:8080 (where Jetty is listening as user "nobody"), but for some reason this does not happen.
When I browse to http://144.76.184.154:8080 then I see Jetty response.
But when I browse to http://144.76.184.154 nothing is returned.
Can anybody please spot the error for me?
Thank you Alex
Hello Gordon and others
On Tue, Jun 21, 2016 at 4:13 PM, Gordon Messmer gordon.messmer@gmail.com wrote:
On 06/21/2016 02:30 AM, Alexander Farber wrote:
-A PREROUTING -p tcp -m tcp -d 144.76.184.154/32 --dport 80 -j REDIRECT --to-ports 8080
I think you have the ports backward, here.
here the problem description again:
I have Jetty running as user "nobody" at the port 8080.
I need to redirect incoming HTTP requests to port 80 to the above port.
(So I don't think I have ports backwards).
Here is my current /etc/sysconfig/iptables:
*filter :INPUT ACCEPT :OUTPUT ACCEPT :FORWARD ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A INPUT -p tcp -m tcp -m state --state NEW -m multiport --dports 25,80,443,8080 -j ACCEPT -A INPUT -p tcp -m tcp -m state --state NEW --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 2/min --limit-burst 1 -j ACCEPT -A FORWARD -p tcp -m tcp --dst 144.76.184.154 --dport 8080 -j ACCEPT COMMIT
*nat :INPUT ACCEPT :OUTPUT ACCEPT :PREROUTING ACCEPT :POSTROUTING ACCEPT -A PREROUTING -p tcp --dst 144.76.184.154 --dport 8080 -j REDIRECT --to-port 80 COMMIT
And here is my /etc/sysctl.conf:
net.ipv4.ip_forward=1 net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1
Unfortunately, the redirect does not work:
When I browse to my site port 8080, I see Jetty.
When I browse to my site port 80, connection is refused.
Here I print the tables:
# iptables -t filter -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT tcp -- anywhere anywhere tcp state NEW multiport dports smtp,http,https,webcache ACCEPT tcp -- anywhere anywhere tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN state NEW limit: avg 2/min burst 1
Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere afarber.de tcp dpt:webcache
Chain OUTPUT (policy ACCEPT) target prot opt source destination
# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- anywhere afarber.de tcp dpt:webcache redir ports 80
Chain INPUT (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain POSTROUTING (policy ACCEPT) target prot opt source destination
Please help Alex
Am 2016-06-21 16:24, schrieb Alexander Farber:
Hello Gordon and others
[ ... ]
here the problem description again:
I have Jetty running as user "nobody" at the port 8080.
I need to redirect incoming HTTP requests to port 80 to the above port.
(So I don't think I have ports backwards).
Here is my current /etc/sysconfig/iptables:
*filter :INPUT ACCEPT :OUTPUT ACCEPT :FORWARD ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A INPUT -p tcp -m tcp -m state --state NEW -m multiport --dports 25,80,443,8080 -j ACCEPT -A INPUT -p tcp -m tcp -m state --state NEW --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 2/min --limit-burst 1 -j ACCEPT -A FORWARD -p tcp -m tcp --dst 144.76.184.154 --dport 8080 -j ACCEPT COMMIT
*nat :INPUT ACCEPT :OUTPUT ACCEPT :PREROUTING ACCEPT :POSTROUTING ACCEPT -A PREROUTING -p tcp --dst 144.76.184.154 --dport 8080 -j REDIRECT --to-port 80
That's not what you want and described above. What you are doing here is redirect traffic to destination address 144.76.184.154 on destination port 8080 to port 80. Instead you want to achieve that traffic destined to port 80 is redirected locally to port 8080 where jetty is listening.
COMMIT
[ ... ]
Please help Alex
Regards
Alexander
On Tue, 2016-06-21 at 16:24 +0200, Alexander Farber wrote:
*nat :INPUT ACCEPT :OUTPUT ACCEPT :PREROUTING ACCEPT :POSTROUTING ACCEPT -A PREROUTING -p tcp --dst 144.76.184.154 --dport 8080 -j REDIRECT --to-port 80
http://www.karlrupp.net/en/computer/nat_tutorial
# IMPORTANT: Activate IP-forwarding in the kernel!
# Disabled by default! $> echo "1" > /proc/sys/net/ipv4/ip_forward
~~~~~~~~~~~~~~~
Is that a solution ?
On Tue, 2016-06-21 at 15:46 +0100, Always Learning wrote:
On Tue, 2016-06-21 at 16:24 +0200, Alexander Farber wrote:
*nat :INPUT ACCEPT :OUTPUT ACCEPT :PREROUTING ACCEPT :POSTROUTING ACCEPT -A PREROUTING -p tcp --dst 144.76.184.154 --dport 8080 -j REDIRECT --to-port 80
http://www.karlrupp.net/en/computer/nat_tutorial
# IMPORTANT: Activate IP-forwarding in the kernel!
# Disabled by default! $> echo "1" > /proc/sys/net/ipv4/ip_forward
Is that a solution ?
and this ?
# TCP packets from 192.168.1.2, port 12345 to 12356 # to 123.123.123.123, Port 22 # (a backslash indicates contination at the next line)
iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.2 \ --sport 12345:12356 -d 123.123.123.123 --dport 22 [...]
Am 2016-06-21 16:58, schrieb Always Learning:
On Tue, 2016-06-21 at 15:46 +0100, Always Learning wrote:
On Tue, 2016-06-21 at 16:24 +0200, Alexander Farber wrote:
*nat :INPUT ACCEPT :OUTPUT ACCEPT :PREROUTING ACCEPT :POSTROUTING ACCEPT -A PREROUTING -p tcp --dst 144.76.184.154 --dport 8080 -j REDIRECT --to-port 80
http://www.karlrupp.net/en/computer/nat_tutorial
# IMPORTANT: Activate IP-forwarding in the kernel!
# Disabled by default! $> echo "1" > /proc/sys/net/ipv4/ip_forward
Is that a solution ?and this ?
# TCP packets from 192.168.1.2, port 12345 to 12356 # to 123.123.123.123, Port 22 # (a backslash indicates contination at the next line)
iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.2 \ --sport 12345:12356 -d 123.123.123.123 --dport 22 [...]
Both hints are irrelevant in his case.
He needs port redirection by letting iptables rewrite the TCP header destination port. There is no IP forwarding of the kernel involved. Neither does he need to do full DNAT (or whatever the incomplete cited rule should do; it lacks a target directive).
Alexander
I think I have finally figured it out -
http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html
says that "-j REDIRECT" is just a shortcut for "-j DNAT" with destination address being the one of the interface:
"There is a specialized case of Destination NAT called redirection: it is a simple convenience which is exactly equivalent to doing DNAT to the address of the incoming interface."
And in my case that just can not work, because my CentOS 7 server has 4 IP addresses.
(I am sorry, that I haven't mentioned it, because I didn't think it would matter).
At "eth0" port 80 I have Apache+WordPress (which can drop root rights).
And at "eth0:1" port 8080 I run Jetty (which can not drop root rights). But I need Jetty at port 80 (so that websockets work for corporate users behind proxies) and I want it to run as user "nobody".
So I have created a custom systemd service file /etc/systemd/system/websocket-handler.service to start Jetty:
[Unit] Description=WebSocket Handler Service After=network-online.target
[Service] Type=simple User=nobody Group=nobody ExecStart=/usr/bin/java -classpath '/usr/share/java/jetty/*' de.afarber.MyHandler 144.76.184.151:8080 ExecStop=/bin/kill ${MAINPID} SuccessExitStatus=143
[Install] WantedBy=multi-user.target
And now I have figured out, how to redirect the incoming requests with net.ipv4.ip_forward=1 in /etc/sysctl.conf and with the following /etc/sysconfig/iptables:
*filter :INPUT DROP :OUTPUT ACCEPT :FORWARD DROP -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -p tcp -m state --state NEW -m multiport --dports 25,80,443,8080 -j ACCEPT -A INPUT -p tcp -m state --state NEW --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 2/min --limit-burst 1 -j ACCEPT -A FORWARD -p tcp --dst 144.76.184.154 --dport 8080 -j ACCEPT COMMIT
*nat :INPUT ACCEPT :OUTPUT ACCEPT :PREROUTING ACCEPT :POSTROUTING ACCEPT -A PREROUTING -p tcp --dst 144.76.184.154 --dport 80 -j DNAT --to-destination 144.76.184.154:8080 COMMIT
The only thing that I don't understand is if
:INPUT ACCEPT :OUTPUT ACCEPT :PREROUTING ACCEPT :POSTROUTING ACCEPT
is ok (and what it means here) or if I should use DROP.
I have tried few combinations... but I am not sure
Thank you Alex
-
Alexander Dalloz -
Alexander Farber -
Always Learning -
Gordon Messmer -
John Hodrien -
Todor Petkov