LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-13-2010, 08:36 AM   #1
sundoe
LQ Newbie
 
Registered: Jan 2008
Distribution: centos 5.1
Posts: 5

Rep: Reputation: 0
correct/safe iptables rules for redirecting port 80 to 8080


I am setting up tomcat server on my Centos 5.5 machine. I've been advised to run tomcat on 8080 as non root user and redirect traffic to it from port 80.

I searched and found the following iptables commands for this:
# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT -to-ports 8080
# iptables -I INPUT -p tcp --dport 8080 -j ACCEPT
I have a doubt:
Tomcat is not accessible via port 80 without the second command. But the second command opens 8080 and makes it accessible over the internet (tomcat is accesible via both: www.<website>.com and http://<ip address>:8080). This doesn't seem right. Is there some simple (iptables) way to redirect traffic "internally" from port 80 to 8080 without having to open 8080 to the internet.

Thanks
 
Old 07-13-2010, 02:00 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
You could try the approach being discussed here for a similar requirement.

BTW, why can't you just make it listen on port 80 in order to avoid all of this?

Last edited by win32sux; 07-13-2010 at 02:01 PM.
 
Old 07-13-2010, 03:14 PM   #3
sundoe
LQ Newbie
 
Registered: Jan 2008
Distribution: centos 5.1
Posts: 5

Original Poster
Rep: Reputation: 0
thank you win32sux

Quote:
BTW, why can't you just make it listen on port 80 in order to avoid all of this?
I don't want to run tomcat on port 80 because that would have to be done as root and I want to avoid logging in as root regularly for the administration, testing, deployment etc.

For someone who reads this later: I tried a slight variation of the iptables mangle command mentioned in post linked above and it restricts access to 8080 from outside/internet while allowing the redirects from port 80.

Code:
iptables -t mangle -A PREROUTING -p tcp --dport 8080 -j MARK --set-mark 1
iptables -I INPUT -m mark --mark 1 -j DROP
I had to use -I in second rule instead of -A, as in the post linked above, this might depend on sequence of rules in your iptables

Can someone comment on how good a solution this is for simple deployment of tomcat on 8080?
 
Old 07-13-2010, 08:00 PM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by sunflight View Post
thank you win32sux
No problem.

Quote:
I don't want to run tomcat on port 80 because that would have to be done as root and I want to avoid logging in as root regularly for the administration, testing, deployment etc.
That's a good reason IMO.

That said, isn't it kind of odd that the program doesn't have root privilege dropping as a feature? I've never used Tomcat so I don't really know the particulars. In any case, I understand why you're doing this now and running daemons as root is almost always a terrible idea.

Quote:
Can someone comment on how good a solution this is for simple deployment of tomcat on 8080?
I can't comment on Tomcat, but the iptables technique seems pretty solid to me. I've used it myself, and have recommended it to other members who report satisfactory results. See this thread, for example.

Last edited by win32sux; 07-13-2010 at 08:09 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Redirecting local traffic from port 80 to 8080 Last Attacker Linux - Networking 11 02-03-2009 12:52 PM
Iptables port forwarding is not working 8080 to 80 linux_man_2004 Linux - Networking 13 04-14-2008 01:10 PM
debian iptables squid - redirect port 80 to port 8080 on another machine nickleus Linux - Networking 1 08-17-2006 12:59 AM
Allowing connections to port 8080 in iptables apache363 Linux - Software 1 10-12-2004 02:14 PM
Please help me finish setup IPTABLES,all I need is to forward port 8080 pembo13 Linux - Networking 4 07-18-2003 10:28 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:22 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration