[CentOS] Redirecting port 8080 to port 80 - how to add in /etc/sysconfig/iptables file?
alexander.farber at gmail.com
Tue Jun 21 17:33:50 UTC 2016
I think I have finally figured it out -
says that "-j REDIRECT" is just a shortcut for "-j DNAT" with destination
address being the one of the interface:
"There is a specialized case of Destination NAT called redirection: it is a
simple convenience which is exactly equivalent to doing DNAT to the address
of the incoming interface."
And in my case that just can not work, because my CentOS 7 server has 4 IP
(I am sorry, that I haven't mentioned it, because I didn't think it would
At "eth0" port 80 I have Apache+WordPress (which can drop root rights).
And at "eth0:1" port 8080 I run Jetty (which can not drop root rights). But
I need Jetty at port 80 (so that websockets work for corporate users behind
proxies) and I want it to run as user "nobody".
So I have created a custom systemd service file
/etc/systemd/system/websocket-handler.service to start Jetty:
Description=WebSocket Handler Service
ExecStart=/usr/bin/java -classpath '/usr/share/java/jetty/*'
And now I have figured out, how to redirect the incoming requests with
net.ipv4.ip_forward=1 in /etc/sysctl.conf and with the following
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m multiport --dports 25,80,443,8080
-A INPUT -p tcp -m state --state NEW --dport 22 --tcp-flags FIN,SYN,RST,ACK
SYN -m limit --limit 2/min --limit-burst 1 -j ACCEPT
-A FORWARD -p tcp --dst 22.214.171.124 --dport 8080 -j ACCEPT
-A PREROUTING -p tcp --dst 126.96.36.199 --dport 80 -j DNAT
The only thing that I don't understand is if
is ok (and what it means here) or if I should use DROP.
I have tried few combinations... but I am not sure
More information about the CentOS