LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 09-30-2016, 10:41 AM   #1
robertjinx
Member
 
Registered: Oct 2007
Location: Prague, CZ
Distribution: RedHat / CentOS / Ubuntu / SUSE / Debian
Posts: 749

Rep: Reputation: 73
Lightbulb iptables: redirect port 8080 to 81 and block port 8080


Hello, I'm running tomcat as a normal user, so can't be using port 81. I'm redirecting port 8080 to 81 using iptables, like this:

Code:
/usr/sbin/iptables -t mangle -A PREROUTING -p tcp --dport 81 -j MARK --set-mark 1
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 81 -j REDIRECT --to-port 8080
/usr/sbin/iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -m mark --mark 1 -j ACCEPT
Now, this setup works, can using port 81, but port 8080 works just the same. I was wondering if its possible to do this redirect, but then block port 8080, so only 81 would work.

Any ideas? BTW, I can't use anybind, if someone will suggest it.
 
Old 09-30-2016, 01:35 PM   #2
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
Not sure what you are trying to say but if you are redirecting 8080 to 81 your rules are backwards.
You cannot block port 8080 as you need that to get to port 81
 
Old 09-30-2016, 01:58 PM   #3
robertjinx
Member
 
Registered: Oct 2007
Location: Prague, CZ
Distribution: RedHat / CentOS / Ubuntu / SUSE / Debian
Posts: 749

Original Poster
Rep: Reputation: 73
Quote:
Originally Posted by lazydog View Post
Not sure what you are trying to say but if you are redirecting 8080 to 81 your rules are backwards.
You cannot block port 8080 as you need that to get to port 81
What do you mean by 'your rules are backwards' ?
 
Old 09-30-2016, 02:10 PM   #4
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
If a packet is coming in on 8080 because you cannot use 81, you need to redirect 8080 to 81 not 81 to 8080.
And for simple redirect you don't need to mark the packet.
 
Old 09-30-2016, 02:12 PM   #5
robertjinx
Member
 
Registered: Oct 2007
Location: Prague, CZ
Distribution: RedHat / CentOS / Ubuntu / SUSE / Debian
Posts: 749

Original Poster
Rep: Reputation: 73
Quote:
Originally Posted by lazydog View Post
If a packet is coming in on 8080 because you cannot use 81, you need to redirect 8080 to 81 not 81 to 8080.
I know what you mean, but this is actually working and changing it, makes it unusable. I'm not joking
 
Old 09-30-2016, 02:21 PM   #6
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
I don't know how this is working as you are not redirecting 8080 to 81. Are you sure that tomcat isn't listing on port 8080? That is the only reason it would work and your last rule is what allows it to work.

Another thing you might want to consider is using the interface, -ieth0 or -o eth0, in your rules. This way you can fine tune a rule to only be applied in one direction. for example your redirect rule would be applied in both directions as it refers to pre-router only which is done in both directions.
 
Old 09-30-2016, 02:30 PM   #7
robertjinx
Member
 
Registered: Oct 2007
Location: Prague, CZ
Distribution: RedHat / CentOS / Ubuntu / SUSE / Debian
Posts: 749

Original Poster
Rep: Reputation: 73
Tomcat is listening on port 8080, not on 81. I'm redirecting port 8080 to 81. Did I write something else?
 
Old 09-30-2016, 03:06 PM   #8
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
Please forgive me, I mis-read you post (need to slow down and reread things once in a while).
You are redirecting port 81 outside to port 8080 internally.

So you are looking to block port 8080 from the outside. Never heard of anyone wanting to do this but maybe you could do it with the following:

Code:
/usr/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 81 -j DNAT 127.0.0.1:8080
/usr/sbin/iptables -I INPUT -i eth0 -m conntrack --ctstate NEW -m tcp -p tcp -d 127.0.0.1 --dport 8080 -j ACCEPT
/usr/sbin/iptables -I INPUT -i eth0 -m conntrack --ctstate NEW -m tcp -p tcp --dport 8080 -j DROP
Replacing the eth0 with what ever your true interface name is.
Just off the top of my head. Not sure it will work but it should.
 
Old 09-30-2016, 03:21 PM   #9
IsaacKuo
Senior Member
 
Registered: Apr 2004
Location: Baton Rouge, Louisiana, USA
Distribution: Debian Stable
Posts: 2,396
Blog Entries: 8

Rep: Reputation: 412Reputation: 412Reputation: 412Reputation: 412Reputation: 412
FWIW, I too was confused by the wording. Normally, when one says "redirecting port 8080 to 81" it means the opposite of what you intend. It normally means "redirecting (TCP/IP) packets from port 8080 to port 81". In other words, packets that hit port 8080 are redirected to port 81.

The other way doesn't really make much language sense. The daemon is listening to port 8080, sure, but its "ear" isn't redirected to port 81. The "ear" is still listening to port 8080. It's just that it is, indirectly, also listening to port 81 in a sense.

To avoid similar confusion in the future, think about how it would sound if you inserted the tacit word "packets".
 
Old 09-30-2016, 03:29 PM   #10
robertjinx
Member
 
Registered: Oct 2007
Location: Prague, CZ
Distribution: RedHat / CentOS / Ubuntu / SUSE / Debian
Posts: 749

Original Poster
Rep: Reputation: 73
OK, thanks guys, sorry for the wording, sounded normal for me
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
CentOS 5: iptables - cannot open port 80 and nat to port 8080 for Tomcat steve willett Linux - Networking 4 09-24-2010 04:03 AM
redirect port 80 to 8080 by iptables but it changes again when system boot up enes1177 Linux - Networking 2 07-03-2008 08:09 AM
access 8080 web server port through squid running on 8080 sunethj Linux - Networking 11 05-18-2007 02:38 AM
debian iptables squid - redirect port 80 to port 8080 on another machine nickleus Linux - Networking 1 08-17-2006 12:59 AM
REDIRECT port 80 to 8080 not working dwynter Linux - Networking 2 06-25-2003 08:06 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 08:19 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration