port translation and POSTROUTING question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all,
I've the need to translate all requests arriving on port 80 to port8080 (tomcat is listening on that port, running as a non-root user) onthe same machine (no FORWARD involved, tomcat and iptable are on thesame server).I never used iptable but thought it would be the right tool,
It's my understanding that, for this to work, I need to change theport in the PREROUTING, accept he requests made on the new port (Idrop everything by default), and then change it back in thePOSTROUTING, as it's my understanding that the user made the requeston port 80 and should see the answer coming back from port 80).
I think I got the first part right with the following rules:# Forward request from port 80 to tomcat listening on port 8080# REDIRECT is a specialized case of Destination NAT: it is exactlyequivalent to doing DNAT to the address of the incoming interface.# as with DNAT, it can be used only in PREROUTING and OUTPUTiptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
# PREROUTING happens before INPUT, therefore the INPUT rule needs toallow the translated packet, not the original one.iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
What is not clear to me, even after reading man pages, netfilter.orgdocumentation, and various tutorials, is what rule to write to havethe packets (the ones sent back to who made the request) moved fromport 8080 to port 80.It's my understanding that it should be done in POSTROUTING and thatREDIRECT cannot work there.
I suppose that it should be some kind of SNAT (or not?) but SNAT seemsto need also the ip address (I first tried: iptables -t nat -APOSTROUTING -p tcp --dport 8080 -j SNAT --to-source 80)  which in mycase don't change, only the port should change
I suppose that I'm missing something fundamental, but, hum I don'tknow what it is, so any help would be appreciated.
Regards,
Gaël
PS: you will find below all my iptables rules
# Flush old rules and optional user-defined chainiptables  --flushiptables --delete-chain
# Set default-deny policies for all three default chainsiptables -P INPUT DROPiptables -P FORWARD DROPiptables -P OUTPUT DROP
# Give free reign to loopback interfacesiptables -A INPUT -i lo -j ACCEPTiptables -A OUTPUT -o lo -j ACCEPT
# OUTBOUND policy
iptables -A OUTPUT -j ACCEPT
# INBOUND policy
# Accept inbound packets that are part of previously-OK'ed sessionsiptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPTiptables -A OUTPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
# Accept inbound packets which initiate SSH sessionsiptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Forward request from port 80 to tomcat listening on port 8080# REDIRECT is a specialized case of Destination NAT: it is exactlyequivalent to doing DNAT to the address of the incoming interface.# as with DNAT, it can be used only in PREROUTING and OUTPUTiptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
# PREROUTING happens before INPUT, therefore the INPUT rule needs toallow the translated packet, not the original one.iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
# POSTROUTING: requests on port 80 should receive an answer from port 80#iptables -t nat -A POSTROUTING -p tcp --dport 8080 -j SNAT --to-source 80
# Log anything not accepted above, excluding broadcast packetsiptables -A INPUT -m pkttype --pkt-type ! broadcast -j LOG--log-prefix "Dropped by default"

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux