iptables fubared?
Mark Space
markspace at live.com
Fri Oct 5 16:17:30 UTC 2012
On 10/5/2012 1:00 AM, Bill Shirley wrote:
> Maybe I didn't understand correctly. You're wanting to redirect
> traffic received on eth0 port 80 to port 8080. Is this correct?
> "iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-ports 8080"
>
> If so, then you wouldn't expect to see any traffic on eth0 port 8080
> (neither coming or going), right?
I guess. Is that the way iptables works? I would have guessed that if
you redirect, you'd see traffic on the output chain and therefore that
"port." But it seems it isn't. It looks like tcpdump hooks into the
raw input/output, before iptables handles it. In that case it would
make sense what you say.
Anyway, problem got solved. Someone with very good knowledge of TCP and
unix pointed out:
1. I need to make sure port forwarding is enabled (it wasn't): |sudo
|sysctl -w net.ipv4.ip_forward=1
2. I *am* getting a response from the server. If you look closely at
the tcpdump output, the server is responding. It's sending resets back
the the external workstation. That means it's telling the workstation
that it saw the request, but there's no one listening.
3. Close inspection with netstat on the server revealed I was listening
on the right port, but the wrong network. JBoss comes configured by
default to listen on the loopback interface. I had neglected to edit
the config to tell it to listen on 0.0.0.0/0. Grrrr. That's distinct
from the port, which is in a different part of the config file. Grrr grrr.
I really hate system administration.
Thanks for your help btw, and thanks to everyone else who tried to
help. It was useful to at least have avenues to pursue.
|
|
>
> Bill
>
>
> On 10/4/2012 9:36 PM, Mark Space wrote:
>> I don't understand this comment:
>>
>> "If you get traffic on port 8080 then you have an iptables problem."
>>
>> Wouldn't it be the opposite? If I DON'T have traffic on port 8080, I
>> have problems with iptables. But maybe I misunderstand how iptables
>> or tcpdump work.
>>
>>
>>
>> On 10/4/2012 4:52 PM, Bill Shirley wrote:
>>> Check your listen statement in /etc/httpd/conf/httpd.conf. It
>>> should be:
>>> Listen 8080
>>>
>>> If that is correct, run tcpdump (ctrl+c to quit) and then try
>>> externally connecting :
>>> tcpdump -n -i eth0 port 80 or port 8080
>>>
>>> If you get traffic on port 8080 then you have an iptables problem.
>>>
>>> Bill
>>>
>>>
>>> On 10/4/2012 3:45 PM, Mark Space wrote:
>>>> Hi all, I'm having a bit of trouble setting up a new web server.
>>>> The last time I set up up it went smoothly, but for some reason I
>>>> can't connect to the HTTP port on this one.
>>>>
>>>> Any clues what I'm missing?
>>>>
>>>> I can:
>>>>
>>>> 1. SSH into my server from an external workstation.
>>>> 2. Ping my server by DNS name from an external workstation.
>>>> 3. I can load the default web page when I'm SSH'd in, this works fine:
>>>> |$ wget localhost
>>>> --2012-10-04 17:44:35-- http://localhost/
>>>> Resolving localhost... 127.0.0.1
>>>> Connecting to localhost|127.0.0.1|:80... connected.
>>>> HTTP request sent, awaiting response... 200 OK
>>>> Length: 2432 (2.4K) [text/html]
>>>> Saving to: âindex.html.1â
>>>>
>>>> 100%[======================================>] 2,432 --.-K/s in 0s
>>>>
>>>> 2012-10-04 17:44:35 (183 MB/s) - âindex.html.1â
>>>> |
>>>>
>>>> However, I cannot connect via HTTP externally, even using the IP
>>>> address:
>>>>
>>>> 4. Unable to connect Firefox can't establish a connection to the
>>>> server at 54.243.205.88.
>>>>
>>>> I'm not sure where I could have fubared this. I did try to redirect
>>>> the ports from 80 to 8080, perhaps that was done incorrectly?
>>>>
>>>> |[ec2-user at domU-12-31-39-0A-A0-29 ~]$ sudo iptables -L
>>>> Chain INPUT (policy ACCEPT)
>>>> target prot opt source destination
>>>>
>>>> Chain FORWARD (policy ACCEPT)
>>>> target prot opt source destination
>>>>
>>>> Chain OUTPUT (policy ACCEPT)
>>>> target prot opt source destination
>>>> [ec2-user at domU-12-31-39-0A-A0-29 ~]$ sudo iptables -t nat -L -n -v
>>>> Chain PREROUTING (policy ACCEPT 21 packets, 1608 bytes)
>>>> pkts bytes target prot opt in out source destination
>>>> 150 7600 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
>>>>
>>>> Chain INPUT (policy ACCEPT 171 packets, 9208 bytes)
>>>> pkts bytes target prot opt in out source destination
>>>>
>>>> Chain OUTPUT (policy ACCEPT 45 packets, 3625 bytes)
>>>> pkts bytes target prot opt in out source destination
>>>> 2 120 REDIRECT tcp -- * * 0.0.0.0/0 127.0.0.1 tcp dpt:80 redir ports 8080
>>>> 0 0 REDIRECT tcp -- * * 0.0.0.0/0 10.211.163.215 tcp dpt:80 redir ports 8080
>>>>
>>>> Chain POSTROUTING (policy ACCEPT 47 packets, 3745 bytes)
>>>> pkts bytes target prot opt in out source destination
>>>> |
>>>>
>>>>
>>>> I thought this should be exactly the same as the last time I did
>>>> it, so I don't know why it wouldn't work.
>>>> Here's the script I used to set up the iptables:
>>>>
>>>> iptables -t nat -A OUTPUT -d localhost -p tcp --dport 80 -j
>>>> REDIRECT --to-ports 8080
>>>> iptables -t nat -A OUTPUT -d 10.211.163.215 -p tcp --dport 80 -j
>>>> REDIRECT --to-ports 8080
>>>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
>>>> --to-ports 8080
>>>> /etc/init.d/iptables save
>>>> /etc/init.d/iptables restart
>>>>
>>>>
>>>> I'm completely at a loss how to troubleshoot this further, any
>>>> advice is much appreciated.
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20121005/41b6650f/attachment.html>
More information about the users
mailing list