Linux – Relationship between /etc/hosts and iptables

centoscentos6iptableslinuxnetworking

I'm running a DigitalOcean Centos 6 VPS. Here's the script I used to set up iptables on Centos 6.4 64-bit:

#!/bin/sh
service iptables stop
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8181
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables-save > /etc/sysconfig/iptables
service iptables restart

I opens ports 22, 80 and 443 only, redirecting 80 and 443 internally to 8080 and 8181 respectively.

Due to a bug/quirk in GlassFish, I had to add the machine's hostname to /etc/hosts:

127.0.0.1 localhost
127.0.0.1 example.com

Without the NAT rules in the iptables configuration, I am able to reach the GlassFish server via my browser at home when attempting to connect either via port 8080 or 8181. With the NAT rules added, I cannot reach the server at all, neither via 80 and 443 nor via 8080 and 8181.

Do I need to make a change to any of the iptables rules to factor in that extra line in /etc/hosts?

Update:

If I remove the last rule, iptables -P INPUT DROP, I can now access the server via a browser using ports 80/443 and 8080/8181. This indicate the forwarding is working.

Best Answer

The short answer is NO, No you don't.

The longer answer is that /etc/hosts is there to assist the networking stack resolver. The resolver is the part of the IP stack (TCP/IP v4 and v6) that is responsible for converting friendly names, such as mybigserver, to an IP address, such as 172.16.0.1.

In your post you are showing us a script and the script is running IPTable commands.

The script is using the PREROUTING chain to do NAT but you state in your question that you are unable to reach "GlassFish" server via the browser.....

What browser? Browser on the same Linux host or a browser on another computer connected to the same switch as ETH0?

If the answer to #1 is another host connected to the same switch as your Linux ETH0, then the problem is you need to change your NAT rules to use the POSTROUTING chain. The reason being you want to NAT the outbound connection. What you have setup is PAT (Port Address Translation).

If this is your setup [Your Browser]------[network switch]-----[ETH0 Linux ETH1]-----{Public Internet]

Then replace these lines

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8181

with:

iptables -A POSTROUTING -t nat -o eth1

If this resolves your issue, then you can fine tune that POSTROUTING rule to use a range of ports and/or a specific ETH1 IP if it's multi-homed.

Related Solutions

Iptables – RHEL 6 Having issues forwarding port 80 to port 8080

I would say this is wrong approach. In any case, I wouldn't want to have JBoss (nor tomcat) to manage direct connections other then for test purpose. It's not designed to manage directly outside connections.

Option 1 Have apache web server proxy to 127.0.0.1:8080

You need this somewhere in your apache setup

LoadModule proxy_module  {path-to-modules}/mod_proxy.so
AddModule  mod_proxy.c

Or with apache2

$ sudo a2enmod proxy
$ sudo apache2ctl restart

And in virtual hosts you could have several apps

ProxyPass         /myapp  http://localhost:8080/myapp
ProxyPassReverse  /myapp  http://localhost:8080/myapp

or have a unique one

ProxyPass         /  http://localhost:8080/
ProxyPassReverse  /  http://localhost:8080/

after changing virtual hosts setting, no need to restart apache

$ sudo apache2ctl graceful

will update settings without dropping ongoing connections.

Option 2, using mod_ajp

$ sudo a2enmod proxy_ajp
$ sudo apache2ctl restart

adding this to your virtualhost

ProxyPass /app ajp://backend.example.com:8009/app

Assuming tomcat instance is configured to have ajp connector on port 8009. Check tomcat settings.

http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html

Option 3, using mod_jk http://tomcat.apache.org/connectors-doc/

You'll still have the other issue that is to configure JBoss as to create links to :80, that will be a JBoss setting problem... can't remember where it's set, all I can remember is that it took me a while to find out. I've preferred using the ajp connector so far.

Sorry, I don't have have access to a JBoss setup right now, perhaps someone can point us where is that setting.

Linux – iptables block port range with single port exception

IIRC iptables rules are order dependent: if the first rule matches, it won't parse any more. Reverse the order and you should achieve what you're trying to do.

Extension: it is not always so, some rules (f.e. -j LOG) allows the packet processing to go further. But the common ACCEPT, REJECT, etc. rules aren't. Best if you see iptables as if it were a procedural programming language: rules are tried-to-match and executed in always linearly, in order.

Best Answer

Related Solutions

Iptables – RHEL 6 Having issues forwarding port 80 to port 8080

Linux – iptables block port range with single port exception

Related Topic