Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
03-14-2014, 11:53 AM
|
#1
|
LQ Newbie
Registered: Sep 2011
Posts: 16
Rep:
|
Port forwarding question
Greetings:
I need to understand something about port forwarding.
If I have an http server listening on port A, and I want the machine my server is running on to listen on port B, then I would set up the firewall to forward incoming http requests from port B to port A.
If I do that, what port does the http response go out on? Does it go out on port A, where the request was received by the http server, or does it get automatically forwarded back to port B (where the machine received it) before returning to the HTTP client?
What is most important is: does the client receive the response on port B or port A?
If it receives the response on port A, is there some way to change the HTTP response so that it goes out on port B?
Someone please advise...
|
|
|
03-14-2014, 12:16 PM
|
#2
|
Senior Member
Registered: Jul 2004
Location: Skuttunge SWEDEN
Distribution: Debian preferably
Posts: 1,350
Rep:
|
Quote:
Originally Posted by factor3
...what port does the http response go out on? Does it go out on port A, where the request was received by the http server, or does it get automatically forwarded back to port B (where the machine received it) before returning to the HTTP client?
|
It's the port the http server is listening on.
Quote:
What is most important is: does the client receive the response on port B or port A?
-----
If it receives the response on port A, is there some way to change the HTTP response so that it goes out on port B?
|
This is a misunderstanding. The client receives the reply on a random port, it has nothing to do with what port the webserver uses.
But the client will always talk to the "original" ip & port, that is port B in your example.
|
|
|
03-14-2014, 12:31 PM
|
#3
|
Senior Member
Registered: Jul 2004
Location: Skuttunge SWEDEN
Distribution: Debian preferably
Posts: 1,350
Rep:
|
This got a bit confused.
Let me take another example:
* http server (apache) runs on webserver1. It listens on non-standard port 81. It has a private ip 192.168.0.2
* Firewall has one public ip, 80.81.82.3
On the firewall is a port-forward (aka NAT) rule, it forwards requests on WAN ip 80.81.82.3 port 80 to webserver1 on port 81. 80.81.82.3:80 -> 192.168.0.2:81
This works fine, from internet you access the web-pages on 80.81.82.3:80 (you don't really need the port here as http-requests goes to port 80 per default).
BUT! If you now put your computer on inside, for example using vpn, you can access the webserver1 on it's private ip 192.168.0.2.
Now you have to use port 81 from client, so the address to use will be 192.168.0.2:81
You can not reach the server on port 80 - unless it listens on that port as well.
Just remember, many web-applications are configured to use a specific port. For example, in Wordpress you have to specify in its configuration what port is being used for it, all links will use that port.
So if your Wordpress uses port 81 - which you have to do to access the site from outside - then you might be able to reach it on 192.168.0.2:80 but all links will be rewritten to 192.168.0.2:81
|
|
1 members found this post helpful.
|
03-14-2014, 01:32 PM
|
#4
|
LQ Newbie
Registered: Sep 2011
Posts: 16
Original Poster
Rep:
|
Thanks, Pingu, for the information. It is of great help.
The reason I was asking the questions that I was is because I have an http server which is listening on port 8080 (for security reasons I won't run it on port 80) and I have configured my machine's firewall to forward http requests from port 80 to port 8080.
In order to make everything work, I had to open port 80 *and* port 8080. If I left port 8080 closed, I was not getting the responses to the http requests (I was getting server timeout failures). Now, I can send requests to both ports and access the site.
The problem is that I have a customer who wants to access the site, but he cannot. I attempted to access it from within his network, nd was getting server timeout failures. If I access the site from anywhere else, I have no problems. Only when I am at his office is it impossible to access my site.
After talking with him for a while, I found that he has a very strict network firewall that has port 8080 closed (it listens on port 80 and a few other ports, but 8080 is closed). We are not sure, but we thought that there was a need to reroute the http responses back to port 80 in order for him to be able to receive them (he absolutely refuses to open port 8080).
That is why I was asking the questions I was asking. I am trying to figure out why this particular person cannot access my website. If his browser is using some "random" port to receive the http responses, then our theory is likely wrong. Yet I did have to open that port on my system in order to receive http responses from my server...
I need to know how to enable him to actually be able to receive my http responses. Do you (ar anyone else) have any ideas on how to do this?
|
|
|
03-14-2014, 01:42 PM
|
#5
|
LQ Guru
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,573
|
Are you sure it's the responses that are getting blocked, rather than the requests? Have you tried to set up a logging system on your server that writes out whenever it receives a request. It sounds more like his firewall is blocking his request attempts on 8080, and they're never even reaching your system.
|
|
|
03-14-2014, 01:46 PM
|
#6
|
LQ Guru
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,573
|
This:
Quote:
Originally Posted by factor3
The reason I was asking the questions that I was is because I have an http server which is listening on port 8080 (for security reasons I won't run it on port 80) and I have configured my machine's firewall to forward http requests from port 80 to port 8080.
|
Needs some clarification. Your http server is listening on 8080 internally for security reasons. Then your firewall is forwarding anything coming in on port 80 to your server at 8080? Doesn't that just bypass your entire reason for running the server on 8080? People can still access you server on port 80, they don't know and don't care that internally it's using 8080, it makes no difference to them because THEY'RE interfacing with 80, and your "security" concerns are shot.
|
|
|
03-14-2014, 02:06 PM
|
#7
|
Senior Member
Registered: Jul 2004
Location: Skuttunge SWEDEN
Distribution: Debian preferably
Posts: 1,350
Rep:
|
Quote:
Originally Posted by factor3
... (for security reasons I won't run it on port 80) and I have configured my machine's firewall to forward http requests from port 80 to port 8080.
|
This is a common misunderstanding, but there is absolutely no extra security in this. You still reach your webserver via port 80! If you want to hide it then forward some other port, like for instance 8080. But honestly, it is very easy to find out what ports are open so you don't gain much in doing this.
Quote:
In order to make everything work, I had to open port 80 *and* port 8080. If I left port 8080 closed, I was not getting the responses to the http requests (I was getting server timeout failures). Now, I can send requests to both ports and access the site.
|
I think, my friend, you have mixed things up here.
If you forward port 8080 to port 80, there is no need to open port 80 in the firewall.
(You will of course need to open port 80 on the webserver.)
BUT!: "Now, I can send requests to both ports and access the site." Aha, so you can access the webserver from internet on port 80!
Quote:
The problem is that I have a customer who wants to access the site, but he cannot.
...
he has a very strict network firewall that has port 8080 closed (it listens on port 80 and a few other ports, but 8080 is closed). We are not sure, but we thought that there was a need to reroute the http responses back to port 80 in order for him to be able to receive them (he absolutely refuses to open port 8080).
|
But this is wrong!
You have forwarded port 80 to port 8080 - port 80 is the one used from internet!
Quote:
That is why I was asking the questions I was asking. I am trying to figure out why this particular person cannot access my website. If his browser is using some "random" port to receive the http responses, then our theory is likely wrong. Yet I did have to open that port on my system in order to receive http responses from my server...
I need to know how to enable him to actually be able to receive my http responses. Do you (ar anyone else) have any ideas on how to do this?
|
This is not the problem. Firewalls are to allow replies, established connections are never blocked.
|
|
|
03-14-2014, 02:10 PM
|
#8
|
Senior Member
Registered: Jul 2004
Location: Skuttunge SWEDEN
Distribution: Debian preferably
Posts: 1,350
Rep:
|
What kind of web's are your webserver hosting - is it Wordpress sites, some other cms, or what?
Take a look at what I wrote in the last half of my second reply, could that be the cause? Since you have to open both port 80 AND 8080 in firewall - I guess you NAT'ed both?
A bit more clear maybe: He accesses your website on port 80, but when he clicks on any link he is directed to port 8080 (since this is configured for WP or whatever) - and port 8080 is blocked in his firewall outgoing.
Last edited by pingu; 03-14-2014 at 02:14 PM.
|
|
|
03-14-2014, 02:27 PM
|
#9
|
LQ Newbie
Registered: Sep 2011
Posts: 16
Original Poster
Rep:
|
suicidaleggroll:
Actually, I know that it is not his actual access that is being blocked, because he can pretty much access every other website except mine. If he couldn't access mine, he would get "cannot connect" failures, not "server timeout" failures.
The "server" I am using is Tomcat, which logs every request it receives. I am seeing the requests come in and the responses being generated.
So I know he is accessing the server on port 80 -- as he should be. He simply is not receiving the responses.
As for my security reasons for this setup, I am not "protecting" any ports, I am protecting my system. Port 80 is one of several ports that, on a Linux system, cannot be used by any applications that do not have root access. It is common knowledge that running any server as root creates a security hole, because if a hacker was to compromise that application they would get root privileges.
I am running my server as someone other than root, but also want to still use port 80 becaue that is the standard HTTP port (making non- technical customers have to remember port numbers in URLs is bad for business because it looks unprofessional). Setting up port forwarding from 80 to the port your application is using is the standard procedure for letting your server use port 80 without creating a potential security hole that could be used to compromise your entire system.
Consequently, allowing people to access my server on port 80 does not cause my security concerns to be "shot", because I am not attempting to prevent "regular" use of my server. I *want* people to access my server through port 80, but I don't want to give hackers a chance to screw up my system by compromising a process that is being run as root. My system is more secure because I am running the server as a user other than root which has very limited privileges. My setup makes things *more* secure, not less.
Unfortunately, this leads back to the problem my customer has. His network firewall blocks port 8080, and I have been suspecting that my server is replying to requests on that port, even though it is receiving the requests on port 80. Is my suspicion correct? If so, how can I make my firewall send responses on port 80 instead of 8080?
|
|
|
03-14-2014, 02:36 PM
|
#10
|
Senior Member
Registered: Jul 2004
Location: Skuttunge SWEDEN
Distribution: Debian preferably
Posts: 1,350
Rep:
|
But you are wrong! The normal procedure is to run the webserver under a user other than root on port 80! The initial process is started by root, that's correct, but the webserver itself runs under 'www-data' or 'apache' (to take the 2 most common usernames from what I've seen).
Could you please reply to my previous post, I strongly believe that is where the problem lies.
|
|
|
03-14-2014, 02:49 PM
|
#11
|
LQ Newbie
Registered: Sep 2011
Posts: 16
Original Poster
Rep:
|
Clarification
Pingu:
No, he is not getting links that go to port 8080. He isn't getting anything. He is successfully sending an http request to my server but not receiving the response.
In other words:
When you enter the URL to my website into your browser, your browser will receive and render the page without problems.
When my customer (or anyone else) enters my URL into his browser from his office, the browser spins for several minutes, then generates an error that says that "the server at <my URL> is taking too long to respond".
When this same customer enters my URL from anywhere other than his office, his browser receives and renders my web page without problems.
The server being used is Tomcat -- but that is irrelevant. In order to get the port forwarding working properly, I originally set everything up using the Apache server (standard httpd) after configuring it to listen on port 8080. I had to open port 8080 to get *Apache* working, and later when I shut Apache down and started Tomcat, I had to keep it open.
I have switched between Apache and Tomcat (when one is running the other is off), and my customer has the same problem, regardless of the server used. The problem is not an unusual server (and Tomcat is not unusual in any event!) -- and since my page can be accessed from everywhere else *except* my customer's office, the problem has to be connected with my customer's network firewall settings.
That is why I am asking the questions I am asking. It is looking like I need to somehow forward my http responses to port 80. That is the only thing that seems to make sense.
I just need to find out how to do that...
|
|
|
03-14-2014, 02:55 PM
|
#12
|
LQ Newbie
Registered: Sep 2011
Posts: 16
Original Poster
Rep:
|
No, Pingu, *you* are wrong
You are correct: the correct procedure is to run a server as a user other than root.
But on Linux systems, the only way you can get a server to successfully use port 80 is to run it as root.
My server is not a regular service like httpd. It is an application. And your view of the problem is not correct. See my entry to you titled "clarification" to know more...
Last edited by factor3; 03-14-2014 at 03:07 PM.
Reason: Clarification
|
|
|
03-14-2014, 03:03 PM
|
#13
|
LQ Newbie
Registered: Sep 2011
Posts: 16
Original Poster
Rep:
|
OOPS... almost forgot
I forgot to mention that the Tomcat server cannot be run the same way you run Apache or other Linux services, because Tomcat is a Java application that can only be started from the command line. The standard procedure for running Tomcat securely is to do what I have done: forward the port to 8080 and run Tomcat as someone other than root.
And check out my reply to suicidaleggroll. As I explained there, I am not protecting ports. I am protecting my system...
Last edited by factor3; 03-14-2014 at 03:05 PM.
|
|
|
03-14-2014, 03:08 PM
|
#14
|
Senior Member
Registered: Jul 2004
Location: Skuttunge SWEDEN
Distribution: Debian preferably
Posts: 1,350
Rep:
|
I believe his firewall is blocking outgoing traffic, with some exceptions.
Normally outgoing traffic is allowed, but in very secured environments outgoing traffic is filtered as well.
Thinking again, maybe not? "the server at <my URL> is taking too long to respond".
Can you check the logs on his firewall? It could be that the replys from your webserver is not recognized as replies to a legitimate ŕequest, and therefore they are blocked.
What firewall is it? Make, model?
"It is looking like I need to somehow forward my http responses to port 80. That is the only thing that seems to make sense." No, this is not the case. I can understand why you're looking at this, but it will get you nowhere.
This is the procedure:
Client sends a request to http://my.web.com. This is delivered to port 80 on relevant server. The port used on the client however, is almost never port 80 - it's just a random port opened for this communication.
Then your webserver replies to clients ip & random port number. The clients firewall shall have a rule to accept established connections.
This problem of yours is very confusing and interresting! :-)
Now Tomcat normally listen on port 8080, you can run it stand-alone or under a webserver.
You need port 8080 open in webservers firewall if you're running Tomcat under default port, also you have confiured apache to listen to port 8080 - this means you can't run Tomcat & Apache simoultaneously.
Is there any chance you could get the firewall config from your friend - he who can't access your site?
Last edited by pingu; 03-14-2014 at 03:13 PM.
|
|
|
03-14-2014, 03:38 PM
|
#15
|
LQ Newbie
Registered: Sep 2011
Posts: 16
Original Poster
Rep:
|
Tomcat can actually be run with Apache, but I refuse to do so because one of the first things I learned when studying network security is just how easily it can be compromised -- especially if it is handling dynamic content like perl or PHP scripts. Yes, you can set it up to run as one of the standard Linux users, but even if you do I know of too many exploits that can be performed against even the latest version. Consequently, for the web apps I want to run, it is more secure to run Tomcat standalone the way I am running it. The latest Java JVM has eliminated the security holes that previous versions have (and believe me: as part of my dissertation I have been testing Apache, Tomcat, and the JVM). At this point Tomcat standalone is my best choice from a security standpoint.
As for my customer: I believe his firewall is from Juniper. It is worth checking out his logs to see exactly what his firewall is doing when he attempts to access my site.
Let me see what I can do about getting them...
Last edited by factor3; 03-14-2014 at 03:38 PM.
Reason: Typos
|
|
|
All times are GMT -5. The time now is 10:42 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|