Jeff Potter wrote:
Why do you want to redirect the HTTP traffic to the same box?
So that jboss can be installed under a "vanilla" user account without
needing any superuser privileges, and so that the box doesn't have to be
configured in any way other than the iptables rule. Running on localhost
(or some 10.x.x.x IP) further removes any chance of direct port 8080
access (by some other admin accidently messing up a firewall rule).
I do it like this where $IP is the interface used by a load balancer
front end:
/sbin/iptables -t nat -A PREROUTING -d $IP -p tcp --dport 80 -j REDIRECT
--to-ports 8080
/sbin/iptables -t nat -A OUTPUT -d $IP -p tcp --dport 80 -j REDIRECT
--to-ports 8080
In my case I do want it to answer directly on port 8080 on the interface
too because I have a monitoring program that hits a test page there. In
retrospect it probably wasn't even worth limiting the original
destination interface because these boxes have several and a setup
script has to be run on each new box to figure out the $IP in the
command - and it wouldn't have hurt to redirect them all.
--
Les Mikesell
lesmikesell@xxxxxxxxx
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
