[CentOS] Redirecting port 8080 to port 80 - how to add in /etc/sysconfig/iptables file?
Alexander Farber
alexander.farber at gmail.com
Tue Jun 21 17:33:50 UTC 2016
I think I have finally figured it out -
http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html
says that "-j REDIRECT" is just a shortcut for "-j DNAT" with destination
address being the one of the interface:
"There is a specialized case of Destination NAT called redirection: it is a
simple convenience which is exactly equivalent to doing DNAT to the address
of the incoming interface."
And in my case that just can not work, because my CentOS 7 server has 4 IP
addresses.
(I am sorry, that I haven't mentioned it, because I didn't think it would
matter).
At "eth0" port 80 I have Apache+WordPress (which can drop root rights).
And at "eth0:1" port 8080 I run Jetty (which can not drop root rights). But
I need Jetty at port 80 (so that websockets work for corporate users behind
proxies) and I want it to run as user "nobody".
So I have created a custom systemd service file
/etc/systemd/system/websocket-handler.service to start Jetty:
[Unit]
Description=WebSocket Handler Service
After=network-online.target
[Service]
Type=simple
User=nobody
Group=nobody
ExecStart=/usr/bin/java -classpath '/usr/share/java/jetty/*'
de.afarber.MyHandler 144.76.184.151:8080
ExecStop=/bin/kill ${MAINPID}
SuccessExitStatus=143
[Install]
WantedBy=multi-user.target
And now I have figured out, how to redirect the incoming requests with
net.ipv4.ip_forward=1 in /etc/sysctl.conf and with the following
/etc/sysconfig/iptables:
*filter
:INPUT DROP
:OUTPUT ACCEPT
:FORWARD DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m multiport --dports 25,80,443,8080
-j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 22 --tcp-flags FIN,SYN,RST,ACK
SYN -m limit --limit 2/min --limit-burst 1 -j ACCEPT
-A FORWARD -p tcp --dst 144.76.184.154 --dport 8080 -j ACCEPT
COMMIT
*nat
:INPUT ACCEPT
:OUTPUT ACCEPT
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
-A PREROUTING -p tcp --dst 144.76.184.154 --dport 80 -j DNAT
--to-destination 144.76.184.154:8080
COMMIT
The only thing that I don't understand is if
:INPUT ACCEPT
:OUTPUT ACCEPT
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
is ok (and what it means here) or if I should use DROP.
I have tried few combinations... but I am not sure
Thank you
Alex
More information about the CentOS
mailing list