1

I have an http server listening on ports 8080 (http) and 8081 (https) on 127.0.0.1

I have these iptables rules to redirect from/to $external_ip:

iptables -t nat -A PREROUTING -i eno1 -p tcp -d $external_ip --dport 80  -j DNAT --to-destination 127.0.0.1:8080
iptables -t nat -A PREROUTING -i eno1 -p tcp -d $external_ip --dport 443 -j DNAT --to-destination 127.0.0.1:8081
  • HTTP (80 to/from 8080) works fine
  • HTTPS (443 to/from 8081) doesn't work

The server is a Tomcat instance using apache APR libraries to handle https connections.

Is there something I'm missing?

UPDATE: Chains for table NAT: $ iptables -t nat -L -n -v

Chain PREROUTING (policy ACCEPT 1111 packets, 69838 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   14   724 REDIRECT   tcp  --  eno1   *       0.0.0.0/0            101.0.105.178        tcp dpt:80 redir ports 8080
    6   360 REDIRECT   tcp  --  eno1   *       0.0.0.0/0            101.0.105.178        tcp dpt:443 redir ports 8081

Chain INPUT (policy ACCEPT 1064 packets, 66008 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 9 packets, 596 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 9 packets, 596 bytes)
 pkts bytes target     prot opt in     out     source               destination
morgano
  • 123
  • 1
  • 7
  • Any other deny/accept rules? Please, post your rules using `iptables -L -n -v` and `iptables -t nat -L -n -v` (NAT rules). – Khaled Feb 19 '17 at 11:26
  • @Khaled these are the only two rules, there are no rules in table "filter" and policies for all chains (INPUT, FORWARD, OUTPUT) are "ACCEPT". for table "nat" is the same (poliy = ACCEPT) except obviously for PREROUTING (two rules, policy = ACCEPT) – morgano Feb 19 '17 at 12:02
  • Have you configured your Tomcat properly with SSL certificates? – Tero Kilkanen Feb 19 '17 at 15:02

2 Answers2

1

I can see that your rules are correct. The possibility of blocking traffic by your firewall has been verified as you commented. The NAT rule has been hit several times as indicated in the bytes and packets counter shown in output of iptables -t nat -L -n -v.

You need to make sure you can access the port 443 locally, and you can verify your web server is listening on this port using netstat -lnp.

Khaled
  • 36,533
  • 8
  • 72
  • 99
1

Workaround (sort of)

Either iptables, Tomcat or Apache APR doesn't like listening from the loopback interface.

I finally made it working by using an interface other than lo (127.0.0.1)

iptables -t nat -A PREROUTING -i eno1 -p tcp -d $external_ip --dport 80  -j DNAT --to-destination $local_ip:8080
iptables -t nat -A PREROUTING -i eno1 -p tcp -d $external_ip --dport 443 -j DNAT --to-destination $local_ip:8081

I my case I used a dummy interface (linux module: dummy) as I wanted Tomcat to "listen" from a "private" ip.

I'm posting this as an answer for future people having the same problem as me, But I'm not marking this answer as the accepted one as I'm neither solving the problem of using the loopback nor providing an explanation of why it works fine with http but not with https.

morgano
  • 123
  • 1
  • 7