Good day, I had a Tomcat running on port 80 on a CentOS server with IP 10.33.46.68. When I tried to open "http://10.33.46.68" on my notebook I could see Tomcat welcome page.
Then I changed Tomcat port to 8080 and redirected HTTP traffic on port 80 to port 8080 using iptables:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
Now when I try to open "http://10.33.46.68" on my notebook I'm getting timeout.
But when I try to open "http://10.33.46.68" or "http://10.33.46.68:8080" directly on the server both URLs works fine. What am I missing please?
There is a Cisco firewall between the notebook and the server which allows communication on port 80 only. This is my iptables configuration file:
# Generated by iptables-save v1.4.7 on Wed Oct 17 14:51:20 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1027:228609]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -j DROP
COMMIT
# Completed on Wed Oct 17 14:51:20 2012
# Generated by iptables-save v1.4.7 on Wed Oct 17 14:51:20 2012
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [4:274]
:OUTPUT ACCEPT [2:154]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
COMMIT
# Completed on Wed Oct 17 14:51:20 2012
Many thanks in advance. Vojtech
Best Answer
The
INPUT
chain in thefilter
table shouldn't be DROP. (well, at least not exclusively without accepting ports!)At least accept port tcp/8080 to make it work.
The packet first traverses the mangle-, then the prerouting, and then the filter table. Your mangle table is empty, you redirect in prerouting, but when the packet enters INPUT/filter, it's getting droped.
A simple
iptables -t filter -A INPUT -p tcp --dport 8080 -j ACCEPT
should be sufficient.Edit: Accepting localhost in the INPUT-chain of filter should be there too, just not to complicate the things. Although you should consider implementing rules which are a littel more sophisticated, something like:
Something along those lines.