tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [OT] Using iptables to remap port 443 -> 8443 for localhost
Date Sun, 04 Dec 2016 20:34:08 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

All,

On 12/4/16 3:30 PM, Christopher Schultz wrote:
> All,
> 
> I'm aware of various techniques to allow Tomcat to serve from port
> 80 without using root, but I've never actually tried using them
> before.
> 
> I'm trying to use iptables on a bare-metal Linux server running
> kernel 3.2 and I'm having no luck.
> 
> I've already got iptables doing other things for me, but adding
> this should not be interfering.
> 
> Here's what I've done (following [1]):
> 
> 
> $ sudo /sbin/iptables -I FORWARD -p tcp \ --destination-port 443 -j
> ACCEPT $ sudo /sbin/iptables -t nat -A PREROUTING -j REDIRECT -p
> tcp \ --destination-port 443 --to-ports 8443
> 
> So here are my tables, now:
> 
> $ sudo iptables-save | grep "\(FORWARD\|PREROUTING\)" :PREROUTING
> ACCEPT [10:1392] -A PREROUTING -p tcp -m tcp --dport 443 -j
> REDIRECT --to-ports 8443 :FORWARD ACCEPT [0:0] -A FORWARD -p tcp -m
> tcp --dport 443 -j ACCEPT -A FORWARD -j LOG
> 
> $ telnet localhost 8443 Trying 127.0.0.1... Connected to
> localhost. Escape character is '^]'. ^C Connection closed by
> foreign host.
> 
> (connects)
> 
> cschultz@europa:~$ telnet localhost 443 Trying 127.0.0.1... telnet:
> Unable to connect to remote host: Connection refused
> 
> (fails)
> 
> Oddly enough, both ports 8443 and 443 are accessible from the
> outside:
> 
> elsewhere$ telnet myhost 8443 Trying 204.9.143.102... Connected to
> europa.chadis.com. Escape character is '^]'. ^CConnection closed by
> foreign host.
> 
> elsewhere$ telnet myhost 443 Trying 204.9.143.102... Connected to
> europa.chadis.com. Escape character is '^]'. ^CConnection closed by
> foreign host.
> 
> Do I need to do something different in order to allow "localhost" 
> connections to be PREROUTED?
> 
> Thanks, -chris


Looks like PREROUTING is ignored for localhost connections... OUTPUT
must be used instead:

$ sudo iptables -t nat -I OUTPUT -p tcp -o lo \
  --dport 443 -j REDIRECT --to-ports 8443

I'm going to add this to the wiki, just in case anyone else is puzzled
as to why localhost doesn't work given the existing instructions.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYRH3AAAoJEBzwKT+lPKRYXkwP/RJ4KUBrRgzphrBg/IZfpbFQ
qkS59nAM7BZB6RyjSl3bbxAOIUGZ6+Yar0sKJcWTzx6DdSKYK4tedEz4zc7NWK+o
z5UK9k6FU+c7Qi+4ibbT3XoViwCc9m4c+8fuwbhinkEt84dbMN8CZp7+WZmzym66
RsIKU9pWjCifLSA0bXg6wPrPmIJ4yIrP3p41Y/UIeFxPfXSdXpjl7C/G7QOhrMIi
op1Db9h0lUn6HG/zQSeDZ9fWlWrXjdk2Q8nsESLWGYR3ihz1Aso8eQ9tJnJia1dJ
Ph+6l9u5Y5/LePMwCOJOGvL5SYhz2wsDaBSItLu7mONqMJLNXGydlm5WxE5KR4xr
FsUqFrQysctmhc6VuprYhPXvmic9hcxCW1B0Eu4+1nuOLziO7xJKn4haRoRldzg7
7T7FqcP8WVxSBJeLS/SC6NAayBSDYoehE/Qn9qgzmEQFgohtxONu661b2LqoWdxJ
7G1K3ili0txg2ew3drj1JCZjPIClRmxpYbs5SC3W6Jrye5dJRGqIL9fAG53s44rM
uXQxcsv48XXqpX06P7Oq47K8Z2zAotEQl8zufoDEEWxCHCzvZ+FbAWacTOE8OT/K
uhGfmJkTu4IH2H7EdwsnfkTPGNw02qmoti8Yt/t5bpV6/idL4MwnSqWQMGzI2+af
ZPC+N6ekZ5ry8JsdorhZ
=ARK1
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message