I am trying to set up a JBoss app server on an RHEL build. Jboss is bound to 127.0.0.1:8080, and I am trying to setup iptables to redirect all traffic from port 80 to port 8080. This is my config file:
:PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8080 -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 127.0.0.1:8443 -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8080 COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT -A FORWARD -i eth0 -m state --state NEW -m tcp -p tcp -d 127.0.0.1 --dport 8080 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
But no matter what, the output of iptables -L -v -n is revealing all traffic is getting rejected. If I turn off iptables, it works, but I'd like to use it. Thanks.
This is the output:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 165 10948 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 12 576 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 3237 405K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 127.0.0.1 state NEW tcp dpt:8080 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 146 packets, 19249 bytes) pkts bytes target prot opt in out source destination
Best Answer
I would say this is wrong approach. In any case, I wouldn't want to have JBoss (nor tomcat) to manage direct connections other then for test purpose. It's not designed to manage directly outside connections.
Option 1 Have apache web server proxy to 127.0.0.1:8080
You need this somewhere in your apache setup
Or with apache2
And in virtual hosts you could have several apps
or have a unique one
after changing virtual hosts setting, no need to restart apache
will update settings without dropping ongoing connections.
Option 2, using mod_ajp
adding this to your virtualhost
Assuming tomcat instance is configured to have ajp connector on port 8009. Check tomcat settings.
http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html
Option 3, using mod_jk http://tomcat.apache.org/connectors-doc/
You'll still have the other issue that is to configure JBoss as to create links to :80, that will be a JBoss setting problem... can't remember where it's set, all I can remember is that it took me a while to find out. I've preferred using the ajp connector so far.
Sorry, I don't have have access to a JBoss setup right now, perhaps someone can point us where is that setting.