0

I'm configuring a new EC2 instance, which will be running Tomcat, and I want it accessible on Port 80.

Within Amazon Linux 1, the primary strategy I saw people using was to use iptables to do port forwarding. It's not my ideal strategy, but it has worked fine.

Setting up a new EC2 instances with Amazon Linux 2, it quickly became apparent that Amazon Linux 2 uses systemd. As a result, you definitely can't do service iptables save:

The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.

Sure. So is there an iptables service like there seems to be in some distros? systemctl status iptables suggests no:

Unit iptables.service could not be found.

Is there a mechanism in Amazon Linux to to load iptables configuration from a file? I don't mind putting my configuration in a file, or doing an iptables-save to a file, but I haven't found any sign in Amazon Linux 2 that there's a mechanism already in place to use a file. If there isn't one, what's the best strategy -- make my own iptables unit in systemd? Or is there a better way to make Tomcat accessible on Port 80 with Amazon Linux 2?

Geoffrey Wiseman
  • 123
  • 1
  • 8
  • Why aren't you just using firewalld? – Michael Hampton Sep 25 '18 at 23:13
  • Doesn't look like `firewalld` is installed by default -- I could certainly install it, does seem to be in the yum repo. `iptables` seems to be there by default, although perhaps not configured to do anything. I've used `firewalld` on Fedora, so I can live with that, I know how to use it to port-forward to Tomcat as well. Mostly, just looking for the right way to hook up Tomcat to the default HTTP port with a minimum of installation and configuration and in the most idiomatic way. You're recommending `firewalld` is the best path? – Geoffrey Wiseman Sep 26 '18 at 12:56
  • 1
    At this point I think everyone should be using firewalld unless they need something extremely complicated that firewalld can't handle (and it's hard to think of anything that might qualify). It's very easy to screw up writing iptables rules directly; it's harder to mess up firewalld. – Michael Hampton Sep 26 '18 at 16:30

1 Answers1

1

iptables isn't installed by default. You need to run:

yum install iptables-services

But, iptables is also deprecated, in favor if firewalld.

However, my personal preference to exposing tomcat on port 80 is to actually front it with apache httpd using mod_proxy. httpd listens on port 80, and proxies to port 8080.

guzzijason
  • 1,410
  • 8
  • 18
  • 1
    Apache proxying feels like a more complicated piece of software to do the same job, to me. Of course, even port forwarding feels excessive, the Ubuntu style `authbind` approach "feels better" to me, but not an option in Amazon Linux, CentOS or Fedora. Can I ask what you like about going the Apache root? – Geoffrey Wiseman Sep 26 '18 at 13:01
  • If you ever want to do things like header re-writing, HTTP redirection, path mappings, etc, having apache httpd layered in front of tomcat comes in very handy. Terminating SSL in httpd is easier than in tomcat, IMHO, as well. In a previous role, I had to manage a large number of java app servers, and this was standard procedure for us. Yes, it may be overkill for some. – guzzijason Sep 26 '18 at 14:25
  • @guzzijason See [here](https://serverfault.com/q/413108/126632) regarding running Tomcat on port 80 without a web server in front of it. – Michael Hampton Sep 26 '18 at 16:29