0

I've got a following setup:

Application A - makes HTTP requests to some API, running on http://localhost:8090.

Application B - intercepts HTTP request from A, a proxy running on http://localhost:8080.

Is it possible to force HTTP traffic from one application to another app running on the same host?

I've been trying something like that:

iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 8080

But it seems it works only if the destination of HTTP request is some external API, it is not working if API resource server is deployed also on localhost (I suspect this is due to --dport 80). I don't know much about iptables, but something like that is even possible? If so, how can I accomplish this?

uiguyf ufdiutd
  • 1

1 Answers1

0

The iptables rule can work, but you have to activate routing on the machine for this to work on locally delivered packets. Also beware that on newer machines "localhost" often resolves to IPv6 loopback (::1), so then you would need the corresponding ip6tables rules. An initial connection failure on IPv6 can be masked and come back to haunt you later by an automatic fallback to IPv4 in your testing client (for example this is what curl does, if you do not specify -6 on the commandline)

If packets come from outside, you need to set the same rule in the PREROUTING chain.

# Activate forwarding
# Note: These forward settings are not reboot persistent
# Note: Putting your machine in router mode resets a lot of IP stack parameters
sysctl -w net.ipv6.conf.all.forwarding=1
sysctl -w net.ipv4.ip_forward=1
Gerrit
  • 1,552
  • 8
  • 8
  • Thanks @Gerrit for your comment. Yes, I know about active routing. I enabled it before trying to create iptables. The thing is that I have no idea how to force traffic from 8080 to 8090. The only thing I have achieved is 80 -> 8090, I think is due to the fact that port 80 is designed for HTTP traffic. But when I create iptables 8080->8090 my proxy doesn't anything at all, just like the traffic wasn't there. – uiguyf ufdiutd Jun 08 '20 at 13:47
  • iptables certainly does not treat any port number in a special way. A HTTP server may act differently depending on how it received the traffic, because a client can for example include the original portnumber in the HOST header. Do your rules get hit? Use `iptables -t nat -nvL` to look at packet counts. – Gerrit Jun 09 '20 at 08:43