|
On 10/5/2012 1:00 AM, Bill Shirley
wrote:
Maybe I didn't understand correctly. You're wanting to redirect
traffic received on eth0 port 80 to port 8080. Is this correct?
"iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j
REDIRECT --to-ports 8080"
If so, then you wouldn't expect to see any traffic on eth0 port
8080 (neither coming or going), right?
I guess. Is that the way iptables works? I would have guessed that
if you redirect, you'd see traffic on the output chain and therefore
that "port." But it seems it isn't. It looks like tcpdump hooks
into the raw input/output, before iptables handles it. In that case
it would make sense what you say.
Anyway, problem got solved. Someone with very good knowledge of TCP
and unix pointed out:
1. I need to make sure port forwarding is enabled (it wasn't): sudo
sysctl -w net.ipv4.ip_forward=1
2. I *am* getting a response from the server. If you look closely
at the tcpdump output, the server is responding. It's sending
resets back the the external workstation. That means it's telling
the workstation that it saw the request, but there's no one
listening.
3. Close inspection with netstat on the server revealed I was
listening on the right port, but the wrong network. JBoss comes
configured by default to listen on the loopback interface. I had
neglected to edit the config to tell it to listen on 0.0.0.0/0.
Grrrr. That's distinct from the port, which is in a different part
of the config file. Grrr grrr.
I really hate system administration.
Thanks for your help btw, and thanks to everyone else who tried to
help. It was useful to at least have avenues to pursue.
Bill
On 10/4/2012 9:36 PM, Mark Space
wrote:
I don't understand this comment:
"If you get traffic on port 8080 then you have an iptables
problem."
Wouldn't it be the opposite? If I DON'T have traffic on port
8080, I have problems with iptables. But maybe I
misunderstand how iptables or tcpdump work.
On 10/4/2012 4:52 PM, Bill Shirley wrote:
Check your listen statement in /etc/httpd/conf/httpd.conf.
It should be:
Listen 8080
If that is correct, run tcpdump (ctrl+c to quit) and then try
externally connecting :
tcpdump -n -i eth0 port 80 or port 8080
If you get traffic on port 8080 then you have an iptables
problem.
Bill
On 10/4/2012 3:45 PM, Mark Space
wrote:
Hi all, I'm having a bit of trouble setting up a new web
server. The last time I set up up it went smoothly, but for
some reason I can't connect to the HTTP port on this one.
Any clues what I'm missing?
I can:
1. SSH into my server from an external workstation.
2. Ping my server by DNS name from an external workstation.
3. I can load the default web page when I'm SSH'd in, this
works fine:
$ wget localhost
--2012-10-04 17:44:35-- http://localhost/
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2432 (2.4K) [text/html]
Saving to: âindex.html.1â
100%[======================================>] 2,432 --.-K/s in 0s
2012-10-04 17:44:35 (183 MB/s) - âindex.html.1â
However, I cannot connect via HTTP externally, even using
the IP address:
4. Unable to connect Firefox can't establish a connection to
the server at 54.243.205.88.
I'm not sure where I could have fubared this. I did try to
redirect the ports from 80 to 8080, perhaps that was done
incorrectly?
[ec2-user@domU-12-31-39-0A-A0-29 ~]$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[ec2-user@domU-12-31-39-0A-A0-29 ~]$ sudo iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 21 packets, 1608 bytes)
pkts bytes target prot opt in out source destination
150 7600 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
Chain INPUT (policy ACCEPT 171 packets, 9208 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 45 packets, 3625 bytes)
pkts bytes target prot opt in out source destination
2 120 REDIRECT tcp -- * * 0.0.0.0/0 127.0.0.1 tcp dpt:80 redir ports 8080
0 0 REDIRECT tcp -- * * 0.0.0.0/0 10.211.163.215 tcp dpt:80 redir ports 8080
Chain POSTROUTING (policy ACCEPT 47 packets, 3745 bytes)
pkts bytes target prot opt in out source destination
I thought this should be exactly the same as the last time I
did it, so I don't know why it wouldn't work.
Here's the script I used to set up the iptables:
iptables -t nat -A OUTPUT -d localhost -p tcp --dport 80 -j
REDIRECT --to-ports 8080
iptables -t nat -A OUTPUT -d 10.211.163.215 -p tcp --dport
80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j
REDIRECT --to-ports 8080
/etc/init.d/iptables save
/etc/init.d/iptables restart
I'm completely at a loss how to troubleshoot this further,
any advice is much appreciated.
|
