Re: Redirecting port 8080 to port 80 - how to add in /etc/sysconfig/iptables file?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



I think I have finally figured it out -

http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html

says that "-j REDIRECT" is just a shortcut for "-j DNAT" with destination
address being the one of the interface:

"There is a specialized case of Destination NAT called redirection: it is a
simple convenience which is exactly equivalent to doing DNAT to the address
of the incoming interface."

And in my case that just can not work, because my CentOS 7 server has 4 IP
addresses.

(I am sorry, that I haven't mentioned it, because I didn't think it would
matter).

At "eth0" port 80 I have Apache+WordPress (which can drop root rights).

And at "eth0:1" port 8080 I run Jetty (which can not drop root rights). But
I need Jetty at port 80 (so that websockets work for corporate users behind
proxies) and I want it to run as user "nobody".

So I have created a custom systemd service file
/etc/systemd/system/websocket-handler.service to start Jetty:

[Unit]
Description=WebSocket Handler Service
After=network-online.target

[Service]
Type=simple
User=nobody
Group=nobody
ExecStart=/usr/bin/java -classpath '/usr/share/java/jetty/*'
de.afarber.MyHandler 144.76.184.151:8080
ExecStop=/bin/kill ${MAINPID}
SuccessExitStatus=143

[Install]
WantedBy=multi-user.target

And now I have figured out, how to redirect the incoming requests with
net.ipv4.ip_forward=1 in /etc/sysctl.conf and with the following
/etc/sysconfig/iptables:

*filter
:INPUT DROP
:OUTPUT ACCEPT
:FORWARD DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m multiport --dports 25,80,443,8080
-j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 22 --tcp-flags FIN,SYN,RST,ACK
SYN -m limit --limit 2/min --limit-burst 1 -j ACCEPT
-A FORWARD -p tcp --dst 144.76.184.154 --dport 8080 -j ACCEPT
COMMIT

*nat
:INPUT ACCEPT
:OUTPUT ACCEPT
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
-A PREROUTING -p tcp --dst 144.76.184.154 --dport 80 -j DNAT
--to-destination 144.76.184.154:8080
COMMIT

The only thing that I don't understand is if

:INPUT ACCEPT
:OUTPUT ACCEPT
:PREROUTING ACCEPT
:POSTROUTING ACCEPT

is ok (and what it means here) or if I should use DROP.

I have tried few combinations... but I am not sure

Thank you
Alex
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux