[CentOS] NAT from eth0:0 port 80 to lo port 8080?

Sun May 13 21:04:17 UTC 2007
Jeff Potter <jpotter-centos at codepuppy.com>

Hi List,

Thanks for the continuing flow of good suggestions on the iptables  
question. I think our client is now willing to side-step the issue  
(by using pound to load-balance), but I'm still of course curious  
from a technical perspective.

I'm still curious about how to do this, and even with everyone's very  
kind suggestions (thank you!), I'm still feeling no closer. At least  
the client is able to carry on with their work, but I wonder -- what  
I'm trying to do feels so easy, yet nothing is getting it working, so  
I'm curious what I'm missing.

Various replies to the many suggestions below.


> Feizhou asked:
> What are you trying to achieve? Transparent proxying?
> Bob asked:
> Why do you want to redirect the HTTP traffic to the same box?

So that jboss can be installed under a "vanilla" user account without  
needing any superuser privileges, and so that the box doesn't have to  
be configured in any way other than the iptables rule. Running on  
localhost (or some 10.x.x.x IP) further removes any chance of direct  
port 8080 access (by some other admin accidently messing up a  
firewall rule).


> John Pierce suggested:
> I ran in similar troubles trying to redirect ports to another host;  
> for me the solution was to use xinetd...

This might work for pop, where you're forking off a process for each  
connection; but in http, I would think that would impose a heavy  
penalty -- woudln't this cause the server to start another java  
process for every http request?


> Pitshou suggested trying:
> iptables -t nat -A PREROUTING -p tcp -i eth0:0 --dport 80 -j  
> REDIRECT --to-ports 8080

iptables spits out an error on this -- maybe virtual interfaces  
aren't supported? -- and the "to-ports" bit doesn't specify  
127.0.0.1, and since nothing is listening on port 8080 except on  
localhost, well... the packets don't seem to flow. Rewriting this  
rule to: iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j  
REDIRECT --to-ports 127.0.0.1:8080  causes the packet to flow in, but  
tcpdump doesn't show any reply packet in the tcp/ip handshake.


> Robert suggested:
> iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to- 
> ports 8080

This, also, seems to miss getting the packet over to localhost.  
Twiddling it to "iptables -t nat -A PREROUTING -p tcp --dport 80 -j  
REDIRECT --to-ports 127.0.0.1:8080" yields the same results as above  
(not surprising, as it's the same rule, sans the interface restriction.)


> Dan suggested:
> If you Google:  tomcat "port 80" iptables    you'll narrow it down  
> a bit

Thanks! Alas, similar results. I stepped through a number of these  
suggestions, which amount to things similar to the prerouting/ 
redirect rules, or various combinations of snat/dnat rules.


> Ray suggested:
> You may need to also SNAT to 127.0.0.0/8 as well to make this  
> work... something like:
> iptables -A PREROUTING -t nat -p tcp -m tcp -i eth0 -d  
> 64.61.61.112   --dport 80 -j DNAT --to 127.0.0.1:8080
> iptables -A POSTROUTING -t nat -p tcp -m tcp -o lo -d 127.0.0.0  -- 
> dport 8080 -j SNAT --to 127.0.0.1
> [and suggested twiddling of reject rules and checking forward rules]

Alas, same results.


As a sanity check, I've confirmed that on localhost I can telnet 8080  
and issue an http request -- which works fine.

What am I missing?

Thanks, everyone!
-Jeff