Jeff Potter wrote:
>
>> Why do you want to redirect the HTTP traffic to the same box?
>
> So that jboss can be installed under a "vanilla" user account without
> needing any superuser privileges, and so that the box doesn't have to be
> configured in any way other than the iptables rule. Running on localhost
> (or some 10.x.x.x IP) further removes any chance of direct port 8080
> access (by some other admin accidently messing up a firewall rule).
I do it like this where $IP is the interface used by a load balancer
front end:
/sbin/iptables -t nat -A PREROUTING -d $IP -p tcp --dport 80 -j REDIRECT
--to-ports 8080
/sbin/iptables -t nat -A OUTPUT -d $IP -p tcp --dport 80 -j REDIRECT
--to-ports 8080
In my case I do want it to answer directly on port 8080 on the interface
too because I have a monitoring program that hits a test page there. In
retrospect it probably wasn't even worth limiting the original
destination interface because these boxes have several and a setup
script has to be run on each new box to figure out the $IP in the
command - and it wouldn't have hurt to redirect them all.
--
Les Mikesell
lesmikesell at gmail.com