Redirecting Port 8080 To Port 80 – How To Add In /etc/sysconfig/iptables File?

Home » CentOS » Redirecting Port 8080 To Port 80 – How To Add In /etc/sysconfig/iptables File?
CentOS 11 Comments

Good evening,

on a CentOS 7 LAMP (not gateway) dedicated server I am using iptables-services with the following /etc/sysconfig/iptables:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [294:35064]
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp –icmp-type any -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp -m multiport –dports
25,80,443,8080 -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 22 –tcp-flags FIN,SYN,RST,ACK SYN -m limit –limit 2/min –limit-burst 1 -j ACCEPT
COMMIT

Also I am running Jetty as user “nobody” at the port 8080 using the /etc/systemd/system/websocket-handler.service file:

[Unit]
Description=WebSocket Handler Service After=network-online.target

[Service]
Type=simple User=nobody Group=nobody ExecStart=/usr/bin/java -classpath ‘/usr/share/java/jetty/*’
de.afarber.MyHandler 144.76.184.151:8080
ExecStop=/bin/kill ${MAINPID}
SuccessExitStatus3

[Install]
WantedBy=multi-user.target

However I actually need my Jetty program to run at port 80 – so that users behind corporate firewalls can connect too.

The Jetty doc at https://www.eclipse.org/jetty/documentation/current/setting-port80-access.html suggests to run the command

# iptables -t nat -I PREROUTING -p tcp –dport 80 -j REDIRECT –to-port 8080

but I can not figure out the corresponding line for the
/etc/sysconfig/iptables

I have tried running the above command and then “iptables -S” to see the added rule, but that didn’t really work.

Thank you Alex

11 thoughts on - Redirecting Port 8080 To Port 80 – How To Add In /etc/sysconfig/iptables File?

  • Am 20.06.2016 um 21:01 schrieb Alexander Farber:

    [ … ]

    You will be surprised how easy it is to save the current ruleset:

    /usr/libexec/iptables/iptables.init save

    Regards

    Alexander

  • Hi,

    you can add the rule and then run “service iptables save” – it will save the current rules in /etc/sysconfig/iptables

    when you run “iptables” or “iptables -S”, it prints only the filter chain by default. Try “iptables-save” – it prints all rules. The other option is “iptables -t nat -L -n” or “iptables -t nat -S”

    Hope it helps.

    Regards,

  • Hello again,

    unfortunately the following /etc/sysconfig/iptables file does not work:

    *nat
    :INPUT ACCEPT
    :OUTPUT ACCEPT
    :PREROUTING ACCEPT
    :POSTROUTING ACCEPT
    #-A PREROUTING -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 8080
    -A PREROUTING -p tcp -m tcp -d 144.76.184.154/32 –dport 80 -j REDIRECT
    –to-ports 8080
    COMMIT

    *filter
    :INPUT DROP
    :OUTPUT ACCEPT
    :FORWARD DROP
    -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p icmp -m icmp –icmp-type any -j ACCEPT
    -A INPUT -p tcp -m tcp -m state –state NEW -m multiport –dports
    25,80,443,8080 -j ACCEPT
    -A INPUT -p tcp -m tcp -m state –state NEW –dport 22 –tcp-flags FIN,SYN,RST,ACK SYN -m limit –limit 2/min –limit-burst 1 -j ACCEPT
    COMMIT

    I need incoming HTTP-connections to 144.76.184.154:80
    to be redirected to 144.76.184.154:8080 (where Jetty is listening as user “nobody”), but for some reason this does not happen.

    When I browse to http://144.76.184.154:8080 then I see Jetty response.

    But when I browse to http://144.76.184.154 nothing is returned.

    Can anybody please spot the error for me?

    Thank you Alex

  • Hello Gordon and others

    here the problem description again:

    I have Jetty running as user “nobody” at the port 8080.

    I need to redirect incoming HTTP requests to port 80 to the above port.

    (So I don’t think I have ports backwards).

    Here is my current /etc/sysconfig/iptables:

    *filter
    :INPUT ACCEPT
    :OUTPUT ACCEPT
    :FORWARD ACCEPT
    -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p icmp -m icmp –icmp-type any -j ACCEPT
    -A INPUT -p tcp -m tcp -m state –state NEW -m multiport –dports
    25,80,443,8080 -j ACCEPT
    -A INPUT -p tcp -m tcp -m state –state NEW –dport 22 –tcp-flags FIN,SYN,RST,ACK SYN -m limit –limit 2/min –limit-burst 1 -j ACCEPT
    -A FORWARD -p tcp -m tcp –dst 144.76.184.154 –dport 8080 -j ACCEPT
    COMMIT

    *nat
    :INPUT ACCEPT
    :OUTPUT ACCEPT
    :PREROUTING ACCEPT
    :POSTROUTING ACCEPT
    -A PREROUTING -p tcp –dst 144.76.184.154 –dport 8080 -j REDIRECT
    –to-port 80
    COMMIT

    And here is my /etc/sysctl.conf:

    net.ipv4.ip_forward=1
    net.ipv6.conf.all.disable_ipv6=1
    net.ipv6.conf.default.disable_ipv6=1

    Unfortunately, the redirect does not work:

    When I browse to my site port 8080, I see Jetty.

    When I browse to my site port 80, connection is refused.

    Here I print the tables:

    # iptables -t filter -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination ACCEPT all — anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT all — anywhere anywhere ACCEPT icmp — anywhere anywhere icmp any ACCEPT tcp — anywhere anywhere tcp state NEW
    multiport dports SMTP,http,https,webcache ACCEPT tcp — anywhere anywhere tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN state NEW limit: avg 2/min burst 1

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination ACCEPT tcp — anywhere afarber.de tcp dpt:webcache

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    # iptables -t nat -L
    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination REDIRECT tcp — anywhere afarber.de tcp dpt:webcache redir ports 80

    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain POSTROUTING (policy ACCEPT)
    target prot opt source destination

    Please help Alex

  • Am 2016-06-21 16:24, schrieb Alexander Farber:

    [ … ]

    That’s not what you want and described above. What you are doing here is redirect traffic to destination address 144.76.184.154 on destination port 8080 to port 80. Instead you want to achieve that traffic destined to port 80 is redirected locally to port 8080 where jetty is listening.

    [ … ]

    Regards

    Alexander

  • and this ?

    # TCP packets from 192.168.1.2, port 12345 to 12356
    # to 123.123.123.123, Port 22
    # (a backslash indicates contination at the next line)

    iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.2 \
    –sport 12345:12356 -d 123.123.123.123 –dport 22 […]

  • Am 2016-06-21 16:58, schrieb Always Learning:

    Both hints are irrelevant in his case.

    He needs port redirection by letting iptables rewrite the TCP header destination port. There is no IP forwarding of the kernel involved. Neither does he need to do full DNAT (or whatever the incomplete cited rule should do; it lacks a target directive).

    Alexander

  • I think I have finally figured it out –

    http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html

    says that “-j REDIRECT” is just a shortcut for “-j DNAT” with destination address being the one of the interface:

    “There is a specialized case of Destination NAT called redirection: it is a simple convenience which is exactly equivalent to doing DNAT to the address of the incoming interface.”

    And in my case that just can not work, because my CentOS 7 server has 4 IP
    addresses.

    (I am sorry, that I haven’t mentioned it, because I didn’t think it would matter).

    At “eth0” port 80 I have Apache+WordPress (which can drop root rights).

    And at “eth0:1” port 8080 I run Jetty (which can not drop root rights). But I need Jetty at port 80 (so that websockets work for corporate users behind proxies) and I want it to run as user “nobody”.

    So I have created a custom systemd service file
    /etc/systemd/system/websocket-handler.service to start Jetty:

    [Unit]
    Description=WebSocket Handler Service After=network-online.target

    [Service]
    Type=simple User=nobody Group=nobody ExecStart=/usr/bin/java -classpath ‘/usr/share/java/jetty/*’
    de.afarber.MyHandler 144.76.184.151:8080
    ExecStop=/bin/kill ${MAINPID}
    SuccessExitStatus3

    [Install]
    WantedBy=multi-user.target

    And now I have figured out, how to redirect the incoming requests with net.ipv4.ip_forward=1 in /etc/sysctl.conf and with the following
    /etc/sysconfig/iptables:

    *filter
    :INPUT DROP
    :OUTPUT ACCEPT
    :FORWARD DROP
    -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -p tcp -m state –state NEW -m multiport –dports 25,80,443,8080
    -j ACCEPT
    -A INPUT -p tcp -m state –state NEW –dport 22 –tcp-flags FIN,SYN,RST,ACK
    SYN -m limit –limit 2/min –limit-burst 1 -j ACCEPT
    -A FORWARD -p tcp –dst 144.76.184.154 –dport 8080 -j ACCEPT
    COMMIT

    *nat
    :INPUT ACCEPT
    :OUTPUT ACCEPT
    :PREROUTING ACCEPT
    :POSTROUTING ACCEPT
    -A PREROUTING -p tcp –dst 144.76.184.154 –dport 80 -j DNAT
    –to-destination 144.76.184.154:8080
    COMMIT

    The only thing that I don’t understand is if

    :INPUT ACCEPT
    :OUTPUT ACCEPT
    :PREROUTING ACCEPT
    :POSTROUTING ACCEPT

    is ok (and what it means here) or if I should use DROP.

    I have tried few combinations… but I am not sure

    Thank you Alex