If you forward a port using the
iptables REDIRECT target like this:
Code:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
...the traffic flow between the client and the server will be between a random TCP port on the client to port 80 on the server. The INPUT chain in the filter table will have to allow inbound packets to both port 80 and port 8080.
When you use the REDIRECT target, replies from port 8080 on the server are intercepted by the
iptables NAT engine and the source port number is altered from 8080 to 80. Otherwise, the client wouldn't accept the packets; it believes it's communicating with port 80 on the server, not port 8080.
However, if you use a web server to issue a 301 or 302 HTTP redirect when the client accesses port 80, the client will start a new connection to port 8080. In that case, a firewall (on the client side) blocking port 8080 will prevent the client from reaching the site.
BTW, there are ways to run Tomcat on port 80 without giving it root privileges. One popular approach is to use
authbind.