iptables fubared?
Bill Shirley
bshirley at memphis.apirx.biz
Fri Oct 5 08:00:40 UTC 2012
Maybe I didn't understand correctly. You're wanting to redirect traffic
received on eth0 port 80 to port 8080. Is this correct?
"iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-ports 8080"
If so, then you wouldn't expect to see any traffic on eth0 port 8080
(neither coming or going), right?
Bill
On 10/4/2012 9:36 PM, Mark Space wrote:
> I don't understand this comment:
>
> "If you get traffic on port 8080 then you have an iptables problem."
>
> Wouldn't it be the opposite? If I DON'T have traffic on port 8080, I
> have problems with iptables. But maybe I misunderstand how iptables
> or tcpdump work.
>
>
>
> On 10/4/2012 4:52 PM, Bill Shirley wrote:
>> Check your listen statement in /etc/httpd/conf/httpd.conf. It
>> should be:
>> Listen 8080
>>
>> If that is correct, run tcpdump (ctrl+c to quit) and then try
>> externally connecting :
>> tcpdump -n -i eth0 port 80 or port 8080
>>
>> If you get traffic on port 8080 then you have an iptables problem.
>>
>> Bill
>>
>>
>> On 10/4/2012 3:45 PM, Mark Space wrote:
>>> Hi all, I'm having a bit of trouble setting up a new web server. The
>>> last time I set up up it went smoothly, but for some reason I can't
>>> connect to the HTTP port on this one.
>>>
>>> Any clues what I'm missing?
>>>
>>> I can:
>>>
>>> 1. SSH into my server from an external workstation.
>>> 2. Ping my server by DNS name from an external workstation.
>>> 3. I can load the default web page when I'm SSH'd in, this works fine:
>>> |$ wget localhost
>>> --2012-10-04 17:44:35-- http://localhost/
>>> Resolving localhost... 127.0.0.1
>>> Connecting to localhost|127.0.0.1|:80... connected.
>>> HTTP request sent, awaiting response... 200 OK
>>> Length: 2432 (2.4K) [text/html]
>>> Saving to: âindex.html.1â
>>>
>>> 100%[======================================>] 2,432 --.-K/s in 0s
>>>
>>> 2012-10-04 17:44:35 (183 MB/s) - âindex.html.1â
>>> |
>>>
>>> However, I cannot connect via HTTP externally, even using the IP
>>> address:
>>>
>>> 4. Unable to connect Firefox can't establish a connection to the
>>> server at 54.243.205.88.
>>>
>>> I'm not sure where I could have fubared this. I did try to redirect
>>> the ports from 80 to 8080, perhaps that was done incorrectly?
>>>
>>> |[ec2-user at domU-12-31-39-0A-A0-29 ~]$ sudo iptables -L
>>> Chain INPUT (policy ACCEPT)
>>> target prot opt source destination
>>>
>>> Chain FORWARD (policy ACCEPT)
>>> target prot opt source destination
>>>
>>> Chain OUTPUT (policy ACCEPT)
>>> target prot opt source destination
>>> [ec2-user at domU-12-31-39-0A-A0-29 ~]$ sudo iptables -t nat -L -n -v
>>> Chain PREROUTING (policy ACCEPT 21 packets, 1608 bytes)
>>> pkts bytes target prot opt in out source destination
>>> 150 7600 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
>>>
>>> Chain INPUT (policy ACCEPT 171 packets, 9208 bytes)
>>> pkts bytes target prot opt in out source destination
>>>
>>> Chain OUTPUT (policy ACCEPT 45 packets, 3625 bytes)
>>> pkts bytes target prot opt in out source destination
>>> 2 120 REDIRECT tcp -- * * 0.0.0.0/0 127.0.0.1 tcp dpt:80 redir ports 8080
>>> 0 0 REDIRECT tcp -- * * 0.0.0.0/0 10.211.163.215 tcp dpt:80 redir ports 8080
>>>
>>> Chain POSTROUTING (policy ACCEPT 47 packets, 3745 bytes)
>>> pkts bytes target prot opt in out source destination
>>> |
>>>
>>>
>>> I thought this should be exactly the same as the last time I did it,
>>> so I don't know why it wouldn't work.
>>> Here's the script I used to set up the iptables:
>>>
>>> iptables -t nat -A OUTPUT -d localhost -p tcp --dport 80 -j
>>> REDIRECT --to-ports 8080
>>> iptables -t nat -A OUTPUT -d 10.211.163.215 -p tcp --dport 80 -j
>>> REDIRECT --to-ports 8080
>>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
>>> --to-ports 8080
>>> /etc/init.d/iptables save
>>> /etc/init.d/iptables restart
>>>
>>>
>>> I'm completely at a loss how to troubleshoot this further, any
>>> advice is much appreciated.
>>>
>>>
>>>
>>>
>>
>>
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20121005/a5f9b33b/attachment.html>
More information about the users
mailing list