7

I have tomcat installed with puppet. It runs on standard 8080 port. The tomcat process is started as tomcat user. I'd like to redirect all traffic from port 80 to 8080. My iptables settings look as follows:

Nat:

# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
REDIRECT   tcp  --  anywhere             anywhere             multiport dports http /* 099 forward port 80 to 8080 */ redir ports 8080

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Standard iptables:

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere             /* 000 accept all icmp */
ACCEPT     all  --  anywhere             anywhere             /* 001 accept all to lo interface */
REJECT     all  --  anywhere             loopback/8           /* 002 reject local traffic not on loopback interface */ reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             /* 003 accept related established rules */ state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             multiport dports ssh /* 004 accept ssh */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports http,https /* 100 allow http and https access */
DROP       all  --  anywhere             anywhere             /* 999 drop all */

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I see that netstat shows that tomcat process is listening on port 8080:

# netstat -tulpn | grep 80
tcp6       0      0 :::8080                 :::*                    LISTEN      16273/java      
tcp6       0      0 127.0.0.1:8005          :::*                    LISTEN      16273/java      
tcp6       0      0 :::8009                 :::*                    LISTEN      16273/java

Seems like nothing is listening on port 80 thou. telnet to that machine on port 80 and 8080 hugs.

What can I do to to forward all trafic from 80 to 8080?

Marcin Pietraszek
  • 3,134
  • 1
  • 19
  • 31

3 Answers3

34

Try this:

sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -I INPUT -p tcp --dport 8080 -j ACCEPT

And check the traffic:

sudo tcpdump -i any -n port 80

If you can't see the packet, you should check external firewall.

thatseeyou
  • 1,822
  • 13
  • 10
  • Could you please tell me why the setup that I had didn't work? – Marcin Pietraszek May 18 '17 at 21:09
  • I think your `INPUT` filter has been dropping port 8080 packet at last rule `DROP all -- anywhere anywhere `. So I insert ACCEPT rule at first position. You can check the matching rule by `iptables -Z` and `iptables -nv` – thatseeyou May 18 '17 at 23:37
  • Is there any way to disallow network clients to reach the port 8080 directly, but always through the port 80?. – Jaime Hablutzel Sep 30 '20 at 00:42
2

I've been using this for years:

iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080

But, important: this only works for traffic that comes from other hosts in the network. I.e, you cannot test as this:

curl localhost:8080

nor

curl <<same-host-ip>>:8081  (the host that has the iptables configured)

To check this configuration you need to be in other host.

Seeing your configuration it seems that you don't need another iptables rule.

Robert
  • 33,429
  • 8
  • 90
  • 94
0

Try this:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8080

Be pretty sure of your rule not causing problem with another rule. So to be sure, clean everything, launch this and test. If it works then add your other rules.

OscarAkaElvis
  • 5,384
  • 4
  • 27
  • 51
  • Nope, it didn't help. Prior to running your command I've extecuted `iptables -T nat --flush` and `iptables --flush` to clean iptables for a while. With cleaned iptables 8080 is accessible, but 80 is still unreachable. – Marcin Pietraszek May 07 '17 at 17:43