LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Problem with iptables redirect on RHEL 6 (http://www.linuxquestions.org/questions/linux-networking-3/problem-with-iptables-redirect-on-rhel-6-a-892365/)

GriffGeorge 07-18-2011 04:16 PM

Problem with iptables redirect on RHEL 6
 
I have a doozy of a first post. Hopefully the solution is simple, but I have run out of ideas.

Environment:

I have a virtual environment, RHEL6 minimal install. On that, I am trying to run Liferay6 on Tomcat6 for the purpose of writing prototype business portals. I used the Liferay+Tomcat bundle downloaded from the Liferay website.

For security reasons, the server can only be accessed through port 80, and Tomcat listens on 8080. (I know I can run it so that it listens on another port, but I'd like it on 8080)

Goal:

Use iptables to forward traffic destined for 80 to port 8080.

What I Did:

Configure nat to forward tcp packets from 80 to 8080:
Code:

[root@rhel6-template scratch]# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
List the nat iptable:
Code:

[root@rhel6-template scratch]# iptables -L -t nat -nv
Chain PREROUTING (policy ACCEPT 94 packets, 7176 bytes)
 pkts bytes target    prot opt in    out    source              destination
  27  1404 REDIRECT  tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:80 redir ports 8080

Chain POSTROUTING (policy ACCEPT 348 packets, 25893 bytes)
 pkts bytes target    prot opt in    out    source              destination

Chain OUTPUT (policy ACCEPT 348 packets, 25893 bytes)
 pkts bytes target    prot opt in    out    source              destination

What Happens:

FYI: X.X.X.X is the internal IP address.

wget to 80 doesn't work:
Code:

[root@rhel6-template scratch]# wget X.X.X.X:80
--2011-07-18 12:10:26--  http://X.X.X.X/
Connecting to X.X.X.X:80... failed: Connection refused.

What I Already Checked:

Tomcat did start normally. Logs show no errors, and specify that Coyote HTTP/1.1 is initialized on http-8080. I can provide this log if need be.

Tomcat is listening on port 8080:
Code:

[root@rhel6-template scratch]# ss -ln
Recv-Q Send-Q                Local Address:Port                  Peer Address:Port
0      50                              :::8009                            :::*
0      100                              :::8080                            :::*
0      128                              :::22                              :::*
0      128                              *:22                              *:*
0      100                            ::1:25                              :::*
0      100                      127.0.0.1:25                              *:*
0      1                  ::ffff:127.0.0.1:8005                            :::*

wget to 8080 works fine. Nobody else will be able to access this server through this port though.
Code:

[root@rhel6-template scratch]# wget X.X.X.X:8080
--2011-07-18 12:08:10--  http://X.X.X.X:8080/
Connecting to X.X.X.X:8080... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://X.X.X.X:8080/web/guest;jsessionid=7CB74EA3DE92ABBA39275F623AD99C3D [following]
--2011-07-18 12:08:10--  http://X.X.X.X:8080/web/guest;jsessionid=7CB74EA3DE92ABBA39275F623AD99C3D
Connecting to X.X.X.X:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 30326 (30K) [text/html]
Saving to: ‚guest;jsessionid=7CB74EA3DE92ABBA39275F623AD99C3D‚

100%[=======================================================================>] 30,326      --.-K/s  in 0.005s

2011-07-18 12:08:12 (6.38 MB/s) - ‚guest;jsessionid=7CB74EA3DE92ABBA39275F623AD99C3D‚

I get the same negative result on the VM on the server as I get on a RHEL6 VM on my laptop.

The iptables method that I described above does in fact work with Liferay6 on Tomcat6 on Ubuntu 10.10.

I have looked at this thread. I appear to have tried everything that was mentioned there.

Actual Question:

I would like to know how to effectively forward 80 to 8080 on RHEL6, so that I can access Liferay on Tomcat (listening on 8080) at 80.

Any help is appreciated. I probably forgot the smallest thing. Also, feedback on the format of my first ever forum post (anywhere, not just on LQ) is very welcome indeed.

Thanks,
Griff

acid_kewpie 07-18-2011 04:25 PM

Nat is only part of the iptables involvement. What is your filter table looking like? You may well still need to permit access to 8080 as your Nat will occur before the input table is hit. Additionally as you are getting a refused not a timeout something explicitly doesn't want you there.

GriffGeorge 07-18-2011 05:19 PM

I'm pretty new at this, but it looks like it will reject any new tcp connections not for ssh.

Code:

[root@rhel6-template /]# iptables -L -nv
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination       
  224 18111 ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
    0    0 ACCEPT    icmp --  *      *      0.0.0.0/0            0.0.0.0/0         
    0    0 ACCEPT    all  --  lo    *      0.0.0.0/0            0.0.0.0/0         
    1    60 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:22
    8  256 REJECT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 REJECT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 132 packets, 17477 bytes)
 pkts bytes target    prot opt in    out    source              destination

I suppose if I were to hazard a guess, I would probably run this:

Code:

iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
...after which, the filter table looks like this:

Code:

[root@rhel6-template scratch]# iptables -L -nv
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination       
    1    60 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:80
 2160  202K ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
    0    0 ACCEPT    icmp --  *      *      0.0.0.0/0            0.0.0.0/0         
    2  120 ACCEPT    all  --  lo    *      0.0.0.0/0            0.0.0.0/0         
    1    60 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:22
  13  416 REJECT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 REJECT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 16 packets, 2316 bytes)
 pkts bytes target    prot opt in    out    source              destination

... and unfortunately my wget still fails:

Code:

[root@rhel6-template scratch]# wget X.X.X.X
--2011-07-18 18:14:55--  http://X.X.X.X/
Connecting to X.X.X.X:80... failed: Connection refused.

I must be missing something... any ideas?

Thanks for your quick reply.
Griff

acid_kewpie 07-19-2011 12:16 AM

look at this: http://borg.uu3.net/iptables/iptables.gif see how the nat PREROUTING chain is BEFORE the INPUT chain? So INPUT will see a desitination port of 8080, not 80.

GriffGeorge 07-19-2011 07:41 AM

Thank you for including the flowchart, it gave me some perspective I didn't have before.

Ok, I rebooted so that I started with a clean configuration. I ran these:

Code:

[root@rhel6-template scratch]# iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
[root@rhel6-template scratch]# iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT

... after which NAT looked like this:

Code:

[root@rhel6-template scratch]# iptables -t nat -L -vn
Chain PREROUTING (policy ACCEPT 2 packets, 64 bytes)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 REDIRECT  tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:80 redir ports 8080

Chain POSTROUTING (policy ACCEPT 2 packets, 120 bytes)
 pkts bytes target    prot opt in    out    source              destination       

Chain OUTPUT (policy ACCEPT 2 packets, 120 bytes)
 pkts bytes target    prot opt in    out    source              destination

... and filter looked like this:

Code:

[root@rhel6-template scratch]# iptables -L -vn
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination       
    1    60 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:8080
 1038  108K ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
    0    0 ACCEPT    icmp --  *      *      0.0.0.0/0            0.0.0.0/0         
    1    60 ACCEPT    all  --  lo    *      0.0.0.0/0            0.0.0.0/0         
    1    60 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:22
    3    96 REJECT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 REJECT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 333 packets, 84243 bytes)
 pkts bytes target    prot opt in    out    source              destination

... and unfortunately I still get the connection refused error when I try to wget... :( I was really excited there for a minute, I really thought it was going to work finally.

While reading the iptables man page, I came across this paragraph:

Code:

REDIRECT
      This target is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains which are only called from those  chains.
      It  redirects  the packet to the machine itself by changing the destination IP to the primary address of the incoming interface (locally-generated
      packets are mapped to the 127.0.0.1 address).

What is the difference between the destination IP and the primary address of the incoming interface? I would have thought that the destination IP already was the primary address of the incoming interface. At this point I'm just looking for any small detail I've overlooked.

Thanks again for your ongoing help.
Griff

doenamann 04-26-2012 05:35 AM

Check the file
Code:

/etc/sysconfig/selinux
and look if the entry
Code:

SELINUX=enforcing
exists. If you don't need selinux set the property to disabled and everything should work.


All times are GMT -5. The time now is 09:58 PM.