iptables: redirect port 8080 to 81 and block port 8080

robertjinx · 09-30-2016, 10:41 AM

Hello, I'm running tomcat as a normal user, so can't be using port 81. I'm redirecting port 8080 to 81 using iptables, like this:

Code:

/usr/sbin/iptables -t mangle -A PREROUTING -p tcp --dport 81 -j MARK --set-mark 1
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 81 -j REDIRECT --to-port 8080
/usr/sbin/iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -m mark --mark 1 -j ACCEPT

Now, this setup works, can using port 81, but port 8080 works just the same. I was wondering if its possible to do this redirect, but then block port 8080, so only 81 would work.

Any ideas? BTW, I can't use anybind, if someone will suggest it.

lazydog · 09-30-2016, 01:35 PM

Not sure what you are trying to say but if you are redirecting 8080 to 81 your rules are backwards.
You cannot block port 8080 as you need that to get to port 81

robertjinx · 09-30-2016, 01:58 PM

Quote:

Originally Posted by lazydog

Not sure what you are trying to say but if you are redirecting 8080 to 81 your rules are backwards.
You cannot block port 8080 as you need that to get to port 81

What do you mean by 'your rules are backwards' ?

lazydog · 09-30-2016, 02:10 PM

If a packet is coming in on 8080 because you cannot use 81, you need to redirect 8080 to 81 not 81 to 8080.
And for simple redirect you don't need to mark the packet.

robertjinx · 09-30-2016, 02:12 PM

Quote:

Originally Posted by lazydog

If a packet is coming in on 8080 because you cannot use 81, you need to redirect 8080 to 81 not 81 to 8080.

I know what you mean, but this is actually working and changing it, makes it unusable. I'm not joking

lazydog · 09-30-2016, 02:21 PM

I don't know how this is working as you are not redirecting 8080 to 81. Are you sure that tomcat isn't listing on port 8080? That is the only reason it would work and your last rule is what allows it to work.

Another thing you might want to consider is using the interface, -ieth0 or -o eth0, in your rules. This way you can fine tune a rule to only be applied in one direction. for example your redirect rule would be applied in both directions as it refers to pre-router only which is done in both directions.

robertjinx · 09-30-2016, 02:30 PM

Tomcat is listening on port 8080, not on 81. I'm redirecting port 8080 to 81. Did I write something else?

lazydog · 09-30-2016, 03:06 PM

Please forgive me, I mis-read you post (need to slow down and reread things once in a while).
You are redirecting port 81 outside to port 8080 internally.

So you are looking to block port 8080 from the outside. Never heard of anyone wanting to do this but maybe you could do it with the following:

Code:

/usr/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 81 -j DNAT 127.0.0.1:8080
/usr/sbin/iptables -I INPUT -i eth0 -m conntrack --ctstate NEW -m tcp -p tcp -d 127.0.0.1 --dport 8080 -j ACCEPT
/usr/sbin/iptables -I INPUT -i eth0 -m conntrack --ctstate NEW -m tcp -p tcp --dport 8080 -j DROP

Replacing the eth0 with what ever your true interface name is.
Just off the top of my head. Not sure it will work but it should.

IsaacKuo · 09-30-2016, 03:21 PM

FWIW, I too was confused by the wording. Normally, when one says "redirecting port 8080 to 81" it means the opposite of what you intend. It normally means "redirecting (TCP/IP) packets from port 8080 to port 81". In other words, packets that hit port 8080 are redirected to port 81.

The other way doesn't really make much language sense. The daemon is listening to port 8080, sure, but its "ear" isn't redirected to port 81. The "ear" is still listening to port 8080. It's just that it is, indirectly, also listening to port 81 in a sense.

To avoid similar confusion in the future, think about how it would sound if you inserted the tacit word "packets".

robertjinx · 09-30-2016, 03:29 PM

OK, thanks guys, sorry for the wording, sounded normal for me