Re: iptables fubared?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Maybe I didn't understand correctly.  You're wanting to redirect traffic received on eth0 port 80 to port 8080.  Is this correct?
"iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j  REDIRECT --to-ports 8080"

If so, then you wouldn't expect to see any traffic on eth0 port 8080 (neither coming or going), right?

Bill


On 10/4/2012 9:36 PM, Mark Space wrote:
I don't understand this comment:

"If you get traffic on port 8080 then you have an iptables problem."

Wouldn't it be the opposite?  If I DON'T have traffic on port 8080, I have problems with iptables.  But maybe I misunderstand how iptables or tcpdump work.



On 10/4/2012 4:52 PM, Bill Shirley wrote:
Check your listen statement in  /etc/httpd/conf/httpd.conf.  It should be:
Listen 8080

If that is correct, run tcpdump (ctrl+c to quit) and then try externally connecting :
tcpdump -n -i eth0 port 80 or port 8080

If you get traffic on port 8080 then you have an iptables problem.

Bill


On 10/4/2012 3:45 PM, Mark Space wrote:
Hi all, I'm having a bit of trouble setting up a new web server. The last time I set up up it went smoothly, but for some reason I can't connect to the HTTP port on this one.

Any clues what I'm missing?

I can:

1. SSH into my server from an external workstation.
2. Ping my server by DNS name from an external workstation.
3. I can load the default web page when I'm SSH'd in, this works fine:
$ wget localhost
--2012-10-04 17:44:35--  http://localhost/
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2432 (2.4K) [text/html]
Saving to: âindex.html.1â
 
100%[======================================>] 2,432       --.-K/s   in 0s
 
2012-10-04 17:44:35 (183 MB/s) - âindex.html.1â

However, I cannot connect via HTTP externally, even using the  IP address:

4. Unable to connect Firefox can't establish a connection to the server at 54.243.205.88.

I'm not sure where I could have fubared this. I did try to redirect the ports from 80 to 8080, perhaps that was done incorrectly?

[ec2-user@domU-12-31-39-0A-A0-29 ~]$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[ec2-user@domU-12-31-39-0A-A0-29 ~]$ sudo iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 21 packets, 1608 bytes)
 pkts bytes target     prot opt in     out     source               destination
  150  7600 REDIRECT   tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 redir ports 8080
 
Chain INPUT (policy ACCEPT 171 packets, 9208 bytes)
 pkts bytes target     prot opt in     out     source               destination
 
Chain OUTPUT (policy ACCEPT 45 packets, 3625 bytes)
 pkts bytes target     prot opt in     out     source               destination
    2   120 REDIRECT   tcp  --  *      *       0.0.0.0/0            127.0.0.1            tcp dpt:80 redir ports 8080
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            10.211.163.215       tcp dpt:80 redir ports 8080
 
Chain POSTROUTING (policy ACCEPT 47 packets, 3745 bytes)
 pkts bytes target     prot opt in     out     source               destination


I thought this should be exactly the same as the last time I did it, so I don't know why it wouldn't work.
Here's the script I used to set up the iptables:

iptables -t nat -A OUTPUT -d localhost -p tcp --dport 80 -j REDIRECT  --to-ports 8080
iptables -t nat -A OUTPUT -d 10.211.163.215 -p tcp --dport 80 -j REDIRECT  --to-ports 8080
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j  REDIRECT --to-ports 8080
/etc/init.d/iptables save
/etc/init.d/iptables restart


I'm completely at a loss how to troubleshoot this further, any advice is much appreciated.











-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux