Firewall / iptables / tomcat problem

Tazix · 04-19-2005, 06:06 PM

Hi,

I'm trying to get a minimal installation of Fedora Core 3 (no Xwindows) to work with the installed redhat firewall and tomcat (as a non-root user).

Basically... I need the iptables config file to redirect port 80 to port 8080.

After searching on the net... the following commands don't seem to work:

Code:

iptables -t nat -A PREROUTING -d your hostname -p tcp --dport 80 -j REDIRECT --to-ports 8080

nor

Code:

iptables -t nat -I PREROUTING --src 0/0 --dst yourip -p tcp --dport 80 -j REDIRECT --to-ports 8080

(of course I have the correct hostname or ip addresses in those commands).

My iptables config file in /etc/sysconfig is:

Code:

#Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT  [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A  INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Any info on how to get port 80 to redirect to 8080 (preferably in th iptables config) and work with the standard firewall being operational, would be greately appreciated.

Thanks.

win32sux · 04-19-2005, 06:16 PM

you need to add an INPUT rule for the redirected packets... for example:

Code:

iptables -t nat -A PREROUTING -p TCP -i eth1 --dport 80 \
-j REDIRECT --to-ports 8080

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p TCP --dport 8080 -m state --state NEW -j ACCEPT

just my two cents...

Tazix · 04-19-2005, 06:50 PM

Thanks for the reply, but that didn't work either.

I only have one NIC (eth0), so I think that's why I can't get nat tables.

After entering those commands (with eth0 instead)... all I see with iptables -L is the filter table chains.... nothing for the nat table. I run tomcat as a tomcat user... and get connection refused when I try to http to it from another machine.

lihmin · 04-19-2005, 10:36 PM

iptables -t nat -L

Tazix · 04-20-2005, 11:06 AM

Ok... I got it working sort of...

I changed the /etc/sysconfig/iptables file to this:

Code:

#Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT  [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A  INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

and the command line:

Code:

#iptables -t nat -A PREROUTING -p TCP -i eth1 --dport 80 -j REDIRECT --to-ports 8080

And that works.

Now I need to figure out how to get that command line in the config file, since obviously the config file doesn't need the command "iptables bla blah" up to the -A portion.

Tazix · 04-20-2005, 12:29 PM

NM... I just put the ip tables command line in the script I made that starts tomcat at boot up time.

Thanks for the replies.