iptables fubared?

Bill Shirley bshirley at memphis.apirx.biz
Fri Oct 5 08:00:40 UTC 2012 

Maybe I didn't understand correctly.  You're wanting to redirect traffic 
received on eth0 port 80 to port 8080.  Is this correct?
"iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT 
--to-ports 8080"

If so, then you wouldn't expect to see any traffic on eth0 port 8080 
(neither coming or going), right?

Bill


On 10/4/2012 9:36 PM, Mark Space wrote:
> I don't understand this comment:
>
> "If you get traffic on port 8080 then you have an iptables problem."
>
> Wouldn't it be the opposite?  If I DON'T have traffic on port 8080, I 
> have problems with iptables.  But maybe I misunderstand how iptables 
> or tcpdump work.
>
>
>
> On 10/4/2012 4:52 PM, Bill Shirley wrote:
>> Check your listen statement in  /etc/httpd/conf/httpd.conf.  It 
>> should be:
>> Listen 8080
>>
>> If that is correct, run tcpdump (ctrl+c to quit) and then try 
>> externally connecting :
>> tcpdump -n -i eth0 port 80 or port 8080
>>
>> If you get traffic on port 8080 then you have an iptables problem.
>>
>> Bill
>>
>>
>> On 10/4/2012 3:45 PM, Mark Space wrote:
>>> Hi all, I'm having a bit of trouble setting up a new web server. The 
>>> last time I set up up it went smoothly, but for some reason I can't 
>>> connect to the HTTP port on this one.
>>>
>>> Any clues what I'm missing?
>>>
>>> I can:
>>>
>>> 1. SSH into my server from an external workstation.
>>> 2. Ping my server by DNS name from an external workstation.
>>> 3. I can load the default web page when I'm SSH'd in, this works fine:
>>> |$ wget localhost
>>> --2012-10-04 17:44:35--  http://localhost/
>>> Resolving localhost... 127.0.0.1
>>> Connecting to localhost|127.0.0.1|:80... connected.
>>> HTTP request sent, awaiting response... 200 OK
>>> Length: 2432 (2.4K) [text/html]
>>> Saving to: âindex.html.1â
>>>   
>>> 100%[======================================>] 2,432       --.-K/s   in 0s
>>>   
>>> 2012-10-04 17:44:35 (183 MB/s) - âindex.html.1â
>>> |
>>>
>>> However, I cannot connect via HTTP externally, even using the IP 
>>> address:
>>>
>>> 4. Unable to connect Firefox can't establish a connection to the 
>>> server at 54.243.205.88.
>>>
>>> I'm not sure where I could have fubared this. I did try to redirect 
>>> the ports from 80 to 8080, perhaps that was done incorrectly?
>>>
>>> |[ec2-user at domU-12-31-39-0A-A0-29 ~]$ sudo iptables -L
>>> Chain INPUT (policy ACCEPT)
>>> target     prot opt source               destination
>>>   
>>> Chain FORWARD (policy ACCEPT)
>>> target     prot opt source               destination
>>>   
>>> Chain OUTPUT (policy ACCEPT)
>>> target     prot opt source               destination
>>> [ec2-user at domU-12-31-39-0A-A0-29 ~]$ sudo iptables -t nat -L -n -v
>>> Chain PREROUTING (policy ACCEPT 21 packets, 1608 bytes)
>>>   pkts bytes target     prot opt in     out     source               destination
>>>    150  7600 REDIRECT   tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 redir ports 8080
>>>   
>>> Chain INPUT (policy ACCEPT 171 packets, 9208 bytes)
>>>   pkts bytes target     prot opt in     out     source               destination
>>>   
>>> Chain OUTPUT (policy ACCEPT 45 packets, 3625 bytes)
>>>   pkts bytes target     prot opt in     out     source               destination
>>>      2   120 REDIRECT   tcp  --  *      *       0.0.0.0/0            127.0.0.1            tcp dpt:80 redir ports 8080
>>>      0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            10.211.163.215       tcp dpt:80 redir ports 8080
>>>   
>>> Chain POSTROUTING (policy ACCEPT 47 packets, 3745 bytes)
>>>   pkts bytes target     prot opt in     out     source               destination
>>> |
>>>
>>>
>>> I thought this should be exactly the same as the last time I did it, 
>>> so I don't know why it wouldn't work.
>>> Here's the script I used to set up the iptables:
>>>
>>> iptables -t nat -A OUTPUT -d localhost -p tcp --dport 80 -j 
>>> REDIRECT  --to-ports 8080
>>> iptables -t nat -A OUTPUT -d 10.211.163.215 -p tcp --dport 80 -j 
>>> REDIRECT  --to-ports 8080
>>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT 
>>> --to-ports 8080
>>> /etc/init.d/iptables save
>>> /etc/init.d/iptables restart
>>>
>>>
>>> I'm completely at a loss how to troubleshoot this further, any 
>>> advice is much appreciated.
>>>
>>>
>>>
>>>
>>
>>
>>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20121005/a5f9b33b/attachment.html>

More information about the users mailing list