IPTABLES: NAT from 8080 to 80 not working

ole_ersoy · #1 7th February 2012, 11:03 PM

Hi,

I'm attempting to redirect requests on port 80 to port 8080. My iptables configuration looks like this:

[root@ole ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.9 on Tue Feb 7 13:11:41 2012
*nat
:PREROUTING ACCEPT [1:272]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
COMMIT
# Completed on Tue Feb 7 13:11:41 2012
# Generated by iptables-save v1.4.9 on Tue Feb 7 13:11:41 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1055:953017]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Feb 7 13:11:41 2012

If I understand correctly the prerouting rule should do the trick. However requests are not getting rerouted. For example this still works:

http://localhost:8080/context/test.jsp

But this does not:
http://localhost/context/test.jsp

Any ideas?

TIA,
- Ole

07CobaltGirl · #2 8th February 2012, 03:21 AM

Quote:

Originally Posted by ole_ersoy

Hi,

I'm attempting to redirect requests on port 80 to port 8080. My iptables configuration looks like this:

[root@ole ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.9 on Tue Feb 7 13:11:41 2012
*nat
:PREROUTING ACCEPT [1:272]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
COMMIT
# Completed on Tue Feb 7 13:11:41 2012
# Generated by iptables-save v1.4.9 on Tue Feb 7 13:11:41 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1055:953017]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Feb 7 13:11:41 2012

If I understand correctly the prerouting rule should do the trick. However requests are not getting rerouted. For example this still works:

http://localhost:8080/context/test.jsp

But this does not:
http://localhost/context/test.jsp

Any ideas?

TIA,
- Ole

Is an "s" allowed? I've always just seen port.

Code:

-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-port 8080

beaker_ · #3 8th February 2012, 03:31 AM

And you need to accept input on both ports, I see only port 80 being accepted.

07CobaltGirl · #4 8th February 2012, 03:32 AM

ahhhh, yep. I missed that too. Good catch!

ole_ersoy · #5 8th February 2012, 04:49 PM

Hi,

Thanks for the feedback. The "s" at the end of "ports" is ok. It seems the only thing necessary (At least to get it working for localhost / workstation development) is to add the "-d" flag set to localhost like this:

Code:

iptables -t nat -A OUTPUT -d localhost -p tcp --dport 80 -j REDIRECT --to-ports 8080

Now my configuration looks like this (Note that iptables translated localhost into the localhost ip address):

Code:

# Generated by iptables-save v1.4.9 on Wed Feb  8 10:31:05 2012
*nat
:PREROUTING ACCEPT [74:12295]
:OUTPUT ACCEPT [16:976]
:POSTROUTING ACCEPT [16:976]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
COMMIT
# Completed on Wed Feb  8 10:31:05 2012
# Generated by iptables-save v1.4.9 on Wed Feb  8 10:31:05 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2516:302400]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Feb  8 10:31:05 2012

Cheers,
- Ole