Linux service is listening and responding on ports it wasn't assigned and that don't show up in netstat

Question

I have an Amazon Linux 1 instance that was created from a Solarwinds DPA AMI. I created this around 2 years ago. It is possible I did something weird back then to make this happen.

Today, I upgraded Solardwinds DPA. I noticed that the listening ports were configured for 8123/8124 in the Tomcat server.xml file, yet I have been accessing DPA on port 80. I didn't think anything of this, assuming this was normal behavior through some DPA configuration / port redirection.

But, I wanted to switch to SSL, and I want an easy and familiar way to manage the SSL certificates. DPA is a java application and requires the ridiculously stupid java store for SSL certificates. So, I installed nginx as a reverse proxy instead where I can very simply manage SSL certificates.

Once installed, I setup nginx to listen on port 81 and 443 and forward port 443 to port 80 on the backend. I then tested opening the DPA site on port 443, and I received an invalid certificate warning. Upon inspecting the certificate it is a self-signed DPA certificate. Realizing that is strange, I took a closer look at netstat.

tcp        0      0 0.0.0.0:443                 0.0.0.0:*                   LISTEN      13040/nginx
tcp        0      0 0.0.0.0:8123                0.0.0.0:*                   LISTEN      10950/java
tcp        0      0 0.0.0.0:8124                0.0.0.0:*                   LISTEN      10950/java
tcp        0      0 127.0.0.1:8127              0.0.0.0:*                   LISTEN      10950/java
tcp        0      0 0.0.0.0:81                  0.0.0.0:*                   LISTEN      13040/nginx
tcp        0      0 :::81                       :::*                        LISTEN      13040/nginx

Here, you can see that nginx is, in fact, listening on port 443 and 81 and DPA is, in fact, listening on 8123 and 8124.

Yet, I can connect to port 80 and access DPA (even though there is no port 80 listed in netstat), and even though nginx says it is listening on port 443, I am hitting DPA directly on port 443. If I use telnet from my local computer and connect to port 80 on the server, netstat shows an established connection between my IP address and port 8123 on the server.

What am I missing here? How come netstat shows what I would expect to see, but the behavior I see is that DPA is, in fact, responding on port 80 and 443.

On a whim, I checked iptables to see if any type of port redirection was being done. iptables is empty and using default ACCEPT policies.

Clearly something is intercepting these connections before they hit the daemons showing in netstat. Something is redirecting these ports. What should I look for?

Answer 1

I discovered that iptables was doing this. I made a mistake when I listed iptables rules and only used iptables -L for the command. This did not show me the nat table. Using the command iptables -t nat -L, I was able to see:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:http redir ports 8123
REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:https redir ports 8124

I issued the command, iptables -t nat -F to flush all the nat rules and then service iptables save to save the rules. I updated my nginx config to forward request to port 8123 instead of port 80, and everything is working now.