LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-14-2014, 11:53 AM   #1
factor3
LQ Newbie
 
Registered: Sep 2011
Posts: 16

Rep: Reputation: Disabled
Port forwarding question


Greetings:

I need to understand something about port forwarding.

If I have an http server listening on port A, and I want the machine my server is running on to listen on port B, then I would set up the firewall to forward incoming http requests from port B to port A.

If I do that, what port does the http response go out on? Does it go out on port A, where the request was received by the http server, or does it get automatically forwarded back to port B (where the machine received it) before returning to the HTTP client?

What is most important is: does the client receive the response on port B or port A?

If it receives the response on port A, is there some way to change the HTTP response so that it goes out on port B?

Someone please advise...
 
Old 03-14-2014, 12:16 PM   #2
pingu
Senior Member
 
Registered: Jul 2004
Location: Skuttunge SWEDEN
Distribution: Debian preferably
Posts: 1,350

Rep: Reputation: 127Reputation: 127
Quote:
Originally Posted by factor3 View Post
...what port does the http response go out on? Does it go out on port A, where the request was received by the http server, or does it get automatically forwarded back to port B (where the machine received it) before returning to the HTTP client?
It's the port the http server is listening on.
Quote:
What is most important is: does the client receive the response on port B or port A?
-----
If it receives the response on port A, is there some way to change the HTTP response so that it goes out on port B?
This is a misunderstanding. The client receives the reply on a random port, it has nothing to do with what port the webserver uses.
But the client will always talk to the "original" ip & port, that is port B in your example.
 
Old 03-14-2014, 12:31 PM   #3
pingu
Senior Member
 
Registered: Jul 2004
Location: Skuttunge SWEDEN
Distribution: Debian preferably
Posts: 1,350

Rep: Reputation: 127Reputation: 127
This got a bit confused.
Let me take another example:
* http server (apache) runs on webserver1. It listens on non-standard port 81. It has a private ip 192.168.0.2
* Firewall has one public ip, 80.81.82.3
On the firewall is a port-forward (aka NAT) rule, it forwards requests on WAN ip 80.81.82.3 port 80 to webserver1 on port 81. 80.81.82.3:80 -> 192.168.0.2:81
This works fine, from internet you access the web-pages on 80.81.82.3:80 (you don't really need the port here as http-requests goes to port 80 per default).
BUT! If you now put your computer on inside, for example using vpn, you can access the webserver1 on it's private ip 192.168.0.2.
Now you have to use port 81 from client, so the address to use will be 192.168.0.2:81
You can not reach the server on port 80 - unless it listens on that port as well.
Just remember, many web-applications are configured to use a specific port. For example, in Wordpress you have to specify in its configuration what port is being used for it, all links will use that port.
So if your Wordpress uses port 81 - which you have to do to access the site from outside - then you might be able to reach it on 192.168.0.2:80 but all links will be rewritten to 192.168.0.2:81
 
1 members found this post helpful.
Old 03-14-2014, 01:32 PM   #4
factor3
LQ Newbie
 
Registered: Sep 2011
Posts: 16

Original Poster
Rep: Reputation: Disabled
Thanks, Pingu, for the information. It is of great help.

The reason I was asking the questions that I was is because I have an http server which is listening on port 8080 (for security reasons I won't run it on port 80) and I have configured my machine's firewall to forward http requests from port 80 to port 8080.

In order to make everything work, I had to open port 80 *and* port 8080. If I left port 8080 closed, I was not getting the responses to the http requests (I was getting server timeout failures). Now, I can send requests to both ports and access the site.

The problem is that I have a customer who wants to access the site, but he cannot. I attempted to access it from within his network, nd was getting server timeout failures. If I access the site from anywhere else, I have no problems. Only when I am at his office is it impossible to access my site.

After talking with him for a while, I found that he has a very strict network firewall that has port 8080 closed (it listens on port 80 and a few other ports, but 8080 is closed). We are not sure, but we thought that there was a need to reroute the http responses back to port 80 in order for him to be able to receive them (he absolutely refuses to open port 8080).

That is why I was asking the questions I was asking. I am trying to figure out why this particular person cannot access my website. If his browser is using some "random" port to receive the http responses, then our theory is likely wrong. Yet I did have to open that port on my system in order to receive http responses from my server...

I need to know how to enable him to actually be able to receive my http responses. Do you (ar anyone else) have any ideas on how to do this?
 
Old 03-14-2014, 01:42 PM   #5
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,573

Rep: Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142
Are you sure it's the responses that are getting blocked, rather than the requests? Have you tried to set up a logging system on your server that writes out whenever it receives a request. It sounds more like his firewall is blocking his request attempts on 8080, and they're never even reaching your system.
 
Old 03-14-2014, 01:46 PM   #6
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,573

Rep: Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142Reputation: 2142
This:

Quote:
Originally Posted by factor3 View Post
The reason I was asking the questions that I was is because I have an http server which is listening on port 8080 (for security reasons I won't run it on port 80) and I have configured my machine's firewall to forward http requests from port 80 to port 8080.
Needs some clarification. Your http server is listening on 8080 internally for security reasons. Then your firewall is forwarding anything coming in on port 80 to your server at 8080? Doesn't that just bypass your entire reason for running the server on 8080? People can still access you server on port 80, they don't know and don't care that internally it's using 8080, it makes no difference to them because THEY'RE interfacing with 80, and your "security" concerns are shot.
 
Old 03-14-2014, 02:06 PM   #7
pingu
Senior Member
 
Registered: Jul 2004
Location: Skuttunge SWEDEN
Distribution: Debian preferably
Posts: 1,350

Rep: Reputation: 127Reputation: 127
Quote:
Originally Posted by factor3 View Post
... (for security reasons I won't run it on port 80) and I have configured my machine's firewall to forward http requests from port 80 to port 8080.
This is a common misunderstanding, but there is absolutely no extra security in this. You still reach your webserver via port 80! If you want to hide it then forward some other port, like for instance 8080. But honestly, it is very easy to find out what ports are open so you don't gain much in doing this.
Quote:
In order to make everything work, I had to open port 80 *and* port 8080. If I left port 8080 closed, I was not getting the responses to the http requests (I was getting server timeout failures). Now, I can send requests to both ports and access the site.
I think, my friend, you have mixed things up here.
If you forward port 8080 to port 80, there is no need to open port 80 in the firewall.
(You will of course need to open port 80 on the webserver.)
BUT!: "Now, I can send requests to both ports and access the site." Aha, so you can access the webserver from internet on port 80!
Quote:
The problem is that I have a customer who wants to access the site, but he cannot.
...
he has a very strict network firewall that has port 8080 closed (it listens on port 80 and a few other ports, but 8080 is closed). We are not sure, but we thought that there was a need to reroute the http responses back to port 80 in order for him to be able to receive them (he absolutely refuses to open port 8080).
But this is wrong!
You have forwarded port 80 to port 8080 - port 80 is the one used from internet!
Quote:
That is why I was asking the questions I was asking. I am trying to figure out why this particular person cannot access my website. If his browser is using some "random" port to receive the http responses, then our theory is likely wrong. Yet I did have to open that port on my system in order to receive http responses from my server...

I need to know how to enable him to actually be able to receive my http responses. Do you (ar anyone else) have any ideas on how to do this?
This is not the problem. Firewalls are to allow replies, established connections are never blocked.
 
Old 03-14-2014, 02:10 PM   #8
pingu
Senior Member
 
Registered: Jul 2004
Location: Skuttunge SWEDEN
Distribution: Debian preferably
Posts: 1,350

Rep: Reputation: 127Reputation: 127
What kind of web's are your webserver hosting - is it Wordpress sites, some other cms, or what?
Take a look at what I wrote in the last half of my second reply, could that be the cause? Since you have to open both port 80 AND 8080 in firewall - I guess you NAT'ed both?

A bit more clear maybe: He accesses your website on port 80, but when he clicks on any link he is directed to port 8080 (since this is configured for WP or whatever) - and port 8080 is blocked in his firewall outgoing.

Last edited by pingu; 03-14-2014 at 02:14 PM.
 
Old 03-14-2014, 02:27 PM   #9
factor3
LQ Newbie
 
Registered: Sep 2011
Posts: 16

Original Poster
Rep: Reputation: Disabled
suicidaleggroll:

Actually, I know that it is not his actual access that is being blocked, because he can pretty much access every other website except mine. If he couldn't access mine, he would get "cannot connect" failures, not "server timeout" failures.

The "server" I am using is Tomcat, which logs every request it receives. I am seeing the requests come in and the responses being generated.

So I know he is accessing the server on port 80 -- as he should be. He simply is not receiving the responses.

As for my security reasons for this setup, I am not "protecting" any ports, I am protecting my system. Port 80 is one of several ports that, on a Linux system, cannot be used by any applications that do not have root access. It is common knowledge that running any server as root creates a security hole, because if a hacker was to compromise that application they would get root privileges.

I am running my server as someone other than root, but also want to still use port 80 becaue that is the standard HTTP port (making non- technical customers have to remember port numbers in URLs is bad for business because it looks unprofessional). Setting up port forwarding from 80 to the port your application is using is the standard procedure for letting your server use port 80 without creating a potential security hole that could be used to compromise your entire system.

Consequently, allowing people to access my server on port 80 does not cause my security concerns to be "shot", because I am not attempting to prevent "regular" use of my server. I *want* people to access my server through port 80, but I don't want to give hackers a chance to screw up my system by compromising a process that is being run as root. My system is more secure because I am running the server as a user other than root which has very limited privileges. My setup makes things *more* secure, not less.

Unfortunately, this leads back to the problem my customer has. His network firewall blocks port 8080, and I have been suspecting that my server is replying to requests on that port, even though it is receiving the requests on port 80. Is my suspicion correct? If so, how can I make my firewall send responses on port 80 instead of 8080?
 
Old 03-14-2014, 02:36 PM   #10
pingu
Senior Member
 
Registered: Jul 2004
Location: Skuttunge SWEDEN
Distribution: Debian preferably
Posts: 1,350

Rep: Reputation: 127Reputation: 127
But you are wrong! The normal procedure is to run the webserver under a user other than root on port 80! The initial process is started by root, that's correct, but the webserver itself runs under 'www-data' or 'apache' (to take the 2 most common usernames from what I've seen).

Could you please reply to my previous post, I strongly believe that is where the problem lies.
 
Old 03-14-2014, 02:49 PM   #11
factor3
LQ Newbie
 
Registered: Sep 2011
Posts: 16

Original Poster
Rep: Reputation: Disabled
Clarification

Pingu:

No, he is not getting links that go to port 8080. He isn't getting anything. He is successfully sending an http request to my server but not receiving the response.

In other words:

When you enter the URL to my website into your browser, your browser will receive and render the page without problems.

When my customer (or anyone else) enters my URL into his browser from his office, the browser spins for several minutes, then generates an error that says that "the server at <my URL> is taking too long to respond".

When this same customer enters my URL from anywhere other than his office, his browser receives and renders my web page without problems.

The server being used is Tomcat -- but that is irrelevant. In order to get the port forwarding working properly, I originally set everything up using the Apache server (standard httpd) after configuring it to listen on port 8080. I had to open port 8080 to get *Apache* working, and later when I shut Apache down and started Tomcat, I had to keep it open.

I have switched between Apache and Tomcat (when one is running the other is off), and my customer has the same problem, regardless of the server used. The problem is not an unusual server (and Tomcat is not unusual in any event!) -- and since my page can be accessed from everywhere else *except* my customer's office, the problem has to be connected with my customer's network firewall settings.

That is why I am asking the questions I am asking. It is looking like I need to somehow forward my http responses to port 80. That is the only thing that seems to make sense.

I just need to find out how to do that...
 
Old 03-14-2014, 02:55 PM   #12
factor3
LQ Newbie
 
Registered: Sep 2011
Posts: 16

Original Poster
Rep: Reputation: Disabled
No, Pingu, *you* are wrong

You are correct: the correct procedure is to run a server as a user other than root.

But on Linux systems, the only way you can get a server to successfully use port 80 is to run it as root.

My server is not a regular service like httpd. It is an application. And your view of the problem is not correct. See my entry to you titled "clarification" to know more...

Last edited by factor3; 03-14-2014 at 03:07 PM. Reason: Clarification
 
Old 03-14-2014, 03:03 PM   #13
factor3
LQ Newbie
 
Registered: Sep 2011
Posts: 16

Original Poster
Rep: Reputation: Disabled
OOPS... almost forgot

I forgot to mention that the Tomcat server cannot be run the same way you run Apache or other Linux services, because Tomcat is a Java application that can only be started from the command line. The standard procedure for running Tomcat securely is to do what I have done: forward the port to 8080 and run Tomcat as someone other than root.

And check out my reply to suicidaleggroll. As I explained there, I am not protecting ports. I am protecting my system...

Last edited by factor3; 03-14-2014 at 03:05 PM.
 
Old 03-14-2014, 03:08 PM   #14
pingu
Senior Member
 
Registered: Jul 2004
Location: Skuttunge SWEDEN
Distribution: Debian preferably
Posts: 1,350

Rep: Reputation: 127Reputation: 127
I believe his firewall is blocking outgoing traffic, with some exceptions.
Normally outgoing traffic is allowed, but in very secured environments outgoing traffic is filtered as well.
Thinking again, maybe not? "the server at <my URL> is taking too long to respond".
Can you check the logs on his firewall? It could be that the replys from your webserver is not recognized as replies to a legitimate ŕequest, and therefore they are blocked.
What firewall is it? Make, model?

"It is looking like I need to somehow forward my http responses to port 80. That is the only thing that seems to make sense." No, this is not the case. I can understand why you're looking at this, but it will get you nowhere.
This is the procedure:
Client sends a request to http://my.web.com. This is delivered to port 80 on relevant server. The port used on the client however, is almost never port 80 - it's just a random port opened for this communication.
Then your webserver replies to clients ip & random port number. The clients firewall shall have a rule to accept established connections.

This problem of yours is very confusing and interresting! :-)
Now Tomcat normally listen on port 8080, you can run it stand-alone or under a webserver.
You need port 8080 open in webservers firewall if you're running Tomcat under default port, also you have confiured apache to listen to port 8080 - this means you can't run Tomcat & Apache simoultaneously.

Is there any chance you could get the firewall config from your friend - he who can't access your site?

Last edited by pingu; 03-14-2014 at 03:13 PM.
 
Old 03-14-2014, 03:38 PM   #15
factor3
LQ Newbie
 
Registered: Sep 2011
Posts: 16

Original Poster
Rep: Reputation: Disabled
Tomcat can actually be run with Apache, but I refuse to do so because one of the first things I learned when studying network security is just how easily it can be compromised -- especially if it is handling dynamic content like perl or PHP scripts. Yes, you can set it up to run as one of the standard Linux users, but even if you do I know of too many exploits that can be performed against even the latest version. Consequently, for the web apps I want to run, it is more secure to run Tomcat standalone the way I am running it. The latest Java JVM has eliminated the security holes that previous versions have (and believe me: as part of my dissertation I have been testing Apache, Tomcat, and the JVM). At this point Tomcat standalone is my best choice from a security standpoint.

As for my customer: I believe his firewall is from Juniper. It is worth checking out his logs to see exactly what his firewall is doing when he attempts to access my site.

Let me see what I can do about getting them...

Last edited by factor3; 03-14-2014 at 03:38 PM. Reason: Typos
 
  


Reply

Tags
http, port, port forwarding


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Yet another port forwarding question essdeeay Linux - Networking 4 04-11-2006 08:28 PM
Port Forwarding Question leedsmunich Linux - Networking 1 10-03-2005 10:17 AM
Port Forwarding Question caps_phisto Linux - Networking 1 07-10-2005 11:33 PM
Port forwarding question GUIPenguin Linux - Networking 1 10-12-2004 02:30 PM
port forwarding question larry Linux - Networking 2 06-10-2004 11:34 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 10:42 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration