Ubuntu IPv6 port redirect using ufw

Question

I'm trying to configure port redirection from port 80 to 8080 on server with both IPv4 and IPv6 support. The OS is Ubuntu 14.04 with the 3.2* series kernel. It is a production server, so I don't want to upgrade kernel.

I'm using UFW as a firewall software and I'd like to stick with it also for IPv6. Currently, I handle port redirecting for IPv4 in /etc/ufw/before.rules with this:

*nat
:PREROUTING ACCEPT [0:0]

-A PREROUTING -p tcp --dport -80 -j REDIRECT --to-port 8080

This works perfectly for IPv4, but if I add this into before6.rules, UFW won't start and complain about a problem running ufw-init.

From searchnig the web including this site, I've found out that ip6tables doesn't support NAT and REDIRECT in kernels older then 3.8. I've also came across a solution using ip6table's TPROXY, but I haven't been able to find the right syntax for the before6.rules for ufw and, more importantly, I believe that TPROXY is not the same as REDIRECT (I'm not as good in iptables, so I may be wrong, feel free to correct this statement).

So my final question is:

Is it possible to redirect port 80 to 8080 via UFW for IPv6 connections on box with 3.2 kernel? And if ufw doesn't support this, is it possible to accomplish it via ip6tables only?

Thank you in advance!

If you really do have IPv6, there should be no need to do this at all. It sounds like someone has botched the original design for this service. — Michael Hampton, Jun 30 '14 at 14:04
This works for me on an up-to-date Ubuntu 14.04. Probably since the kernel got upgraded in the meantime. — user1848077, Jul 06 '15 at 12:03

score -1 · Answer 1 · answered Jul 01 '14 at 12:22

-1

Well, I was able to make this work via different solution. As Sander Steffann stated in the comments, it probably isn't possible to do this via iptables and/or ufw.

Instead, I came accross an daemon xinetd, which helped me accomplish what I wanted - simply redirect 80 to 8080 on both IPv4 and IPv6 connections.

answered Jul 01 '14 at 12:22

j0hny

175
1
2
9

This is functional, but now you have no idea of anyone's IP address who connects to the service. Better to just put the service on port 80 and save yourself all the trouble. – Michael Hampton Jul 01 '14 at 12:31
It's not possible for me to put the service (tomcat) on port 80, due to lack of support of authbinf for IPv6. When I try to configure tomcat to listen on port 80 and turn on IPv6, it will stop listening at all. – j0hny Jul 04 '14 at 11:49
Ahh, the problem is that you are [supposed to have an actual web server such as nginx in front of Tomcat](https://serverfault.com/q/413108/126632). But you've probably already learned this by now. I only just saw your comment today as I wasn't tagged in it. – Michael Hampton Oct 24 '18 at 14:02

Ubuntu IPv6 port redirect using ufw

1 Answers1