Forwarding from 80 -> 9400

zivota · 07-25-2006, 11:14 AM

Guys help!!!

I need to route all traffic from port 80->9400 on the same machine so that webbrowser as default sees Oracle webcache page instead of Apache. Don't ask why it has to be done NOW.

RedHat AS4

I checked iptables manual and looks like it can be done with PREROUTING but I am stuck now.

Help

acid_kewpie · 07-25-2006, 12:11 PM

please do not mark threads as urgent. it's is typically considered rude on voluntary forums.

zivota · 07-25-2006, 12:53 PM

I didn't want to be rude. I need help obviously ... so if somebody thinks its rude because I am in trouble than my apologies to all memebers and guests of LinuxQuestions.org.

unSpawn · 07-25-2006, 01:15 PM

It's all understandable. You need something fast and that makes you forget we're all doing this all for fun and in our own time. Did you try something like "/sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 9400"?

msound · 07-25-2006, 03:16 PM

I'm not quite sure I understand. Do you want web surfers to see port 9400 by default when they go to www.your-domain.com?

If so you could always use an apache Redirect:
httpd.conf:

Redirect / http://www.your-domain.com:9400/

zivota · 07-25-2006, 04:00 PM

This is what I have

iptables -t nat -A PREROUTING -i $INETDEV -p tcp --dport 80 -j REDIRECT --to-port 9400

Acctually I copied this from book (except port) but didn't work.
$INETDEV is only interface I have on this machine. This is stand alone server not gateway.

I cannot change http.conf, not allowed. That's acctually my problem so I am trying get around it.

Web brosers should just go to http://server and firewall (or something else) should redirect this to http://server:9400.

I hope it's little bit more clear.

msound · 07-25-2006, 04:08 PM

How is it you have access to the firewall rules and not the httpd.conf file? One seems a little more sensitive than the other. Well how about web site FTP access? If your server supports php could always just put a dumby index.php page in the documentroot with a header redirect.

index.php:

PHP Code:


			
<?php

header ('Location: yourdomain.com:9400');

echo 'Please wait while you are being redirected...';

?>

If you haven't noticed, most of my experience is in web site administration

If this isn't an option than hopefully unSpawn will help you out some more

osor · 07-25-2006, 04:55 PM

If you want to maintain a connection, I'm pretty sure you need both DNAT (in PREROUTING) and SNAT (in POSTROUTING).

E.g. (# indicates root prompt):

Code:

# YOUR_IP='123.123.123.123' # Replace with your IP
# /sbin/iptables -t nat -A PREROUTING  -d ${YOUR_IP} -p tcp --dport 80   -j DNAT --to-destination ${YOUR_IP}:9400
# /sbin/iptables -t nat -A POSTROUTING -s ${YOUR_IP} -p tcp --sport 9400 -j SNAT --to-source ${YOUR_IP}:80

osor · 07-25-2006, 05:00 PM

The above method will change all output comming from tcp port 9400 to comming from tcp port 80. You might want to use the `owner' extension to limit the match to a specific UID/GID/PID --- that of the Oracle Daemon(? i am not familiar with the setup of Oracle software).

zivota · 07-25-2006, 05:48 PM

@osor

Your lines make sense to me. I did apply them and they look like this.

# HTTP
iptables -t nat -A PREROUTING -d ${IP} -p tcp --dport 80 -j DNAT --to-destination ${IP}:9400
iptables -t nat -A POSTROUTING -s ${IP} -p tcp --sport 9400 -j SNAT --to-source ${IP}:80

But it didn't workout so I figured I probably have to specificaly enable trafic on port 9400 because once you forward traffic from 80->9400 it ends up again in queue on $INETDEV.

So after I added next two lines it did start working.
iptables -A INPUT -i ${INETDEV} -p tcp --dport 9400 -j ACCEPT
iptables -A OUTPUT -o ${INETDEV} -p tcp --sport 9400 -j ACCEPT

@osor thanks man you did saved my life!!!

@msound
I am sysadmin for this server but not for Oracle installation on it. Apache they use is also part of Oracle installation altough more or less is same Apache. Those guys did a lot of hard coding and changing the port was aposolutely out of topic. Only way to quickly solve the problem is to forward traffic from 80 -> whatever.

Thanks everybody for help!!!

osor · 07-25-2006, 09:21 PM

One of the things I was worried about is this line:

Code:

iptables -A OUTPUT -o ${INETDEV} -p tcp --sport 9400 -j ACCEPT

If you think about it carefully, you'll probably realize that this line is not needed in 95% of all netfilter setups (probably also in zivota's circumstance). Any new outbound with ports > 1024 connections are most probably already ACCEPTed. Therefore, it is a redundant line which can be removed. But then, you think more, and you realize that it is possible that a userspace application makes a stream-socket connection, whose randomly-assigned source port happens to be 9400 (this is entirely possible since 9400 is greater than 1024, and therefore available to normal UID processes).

That means that every time a userspace programs tries to connect (using TCP), you have 1 in 64510 chance of incorrect mangling by iptables. Practically, this is no big deal, but theoretically it is BAD (maybe an attacker learns of this vulnerability, and tries to force open source port 9400 with a non-priveleged program, thereby taking over a priviledged port). The only way I can see to eliminate this is using a combination of the owner match and the mark match/target (The owner is only allowed in the OUTPUT chain, so we would have to mark it there. Then, in the POSTROUTING chain, we would have to check the markedness of the packet whose source port is being redirected.).

osor · 07-25-2006, 09:23 PM

If anyone sees a more elegant solution, please speak up.

zivota · 07-26-2006, 04:37 PM

@osor

...if I remove

iptables -A OUTPUT -o ${INETDEV} -p tcp --sport 9400 -j ACCEPT

traffic will stop. I guess you have to monitor state in order to remove this rule and still have traffic allowed OUT on port 9400.

I my case there is no state so this line has to be there. Something else. Problem you exposed is valid if your server is "outside". My server is not exposed to to internet directly and only traffic on 80 is allowed from outside. There is less chance for exploit.

One thing I didn't have chance to test and I am going to do is: Once you forward traffic from 80->9400 will that also change header of newly created packet and show $INETDEV as source? Is packet recreated or ... its same one just passed to 9400? If that's the case (recreated) you can allow traffic on 9400 only from $INETDEV and drop anything else. .... not sure just idea.

I am pretty new to Linux ... so if said something stupid...disregard

amitsharma_26 · 09-04-2006, 05:43 PM

Zivota

I strongly suggest that you do not need any other rule apart from

$IPTABLES -A PREROUTING -t nat -p tcp -d $INETDEV-IP --dport 80 -j REDIRECT --to-port 9400
OR
$IPTABLES -A PREROUTING -t nat -p tcp -d $INETDEV-IP --dport 80 -j DNAT --to-destination $INETDEV-IP:9400

Though any other rule in INPUT chain or while going back, any rule at OUPUT chain possibly would be the reason for it non working.

Understand this/
Whenever a packet is destined for your box; Lets take 'A'; it first goes through PREROUTING chain & then INPUT... so lets assume that you have PREROUTING rule fixed as i have suggested above or you already know... but any INPUT rule could also be a possible block.

Second; while returning back; a packet goes though OUTPUT chain & then POSTROUTING chain; & hence any wrong rule can block it at OUTPUT chain as well; like any default block rules at this chain.

As you are having a fixed real/public legal IP-address at your INET-interface; which is in same class like any of your clients & hence we do not need SNAT in this case.

With best regards,
Amit..
http://amitsharma.linuxbloggers.com/portforwarding.htm