CentOS - Jun 2016 - Redirecting port 8080 to port 80 - how to add in /etc/sysconfig/iptables file?

On Tue, 2016-06-21 at 15:46 +0100, Always Learning wrote:
> On Tue, 2016-06-21 at 16:24 +0200, Alexander Farber wrote:
> 
> > *nat
> > :INPUT ACCEPT
> > :OUTPUT ACCEPT
> > :PREROUTING ACCEPT
> > :POSTROUTING ACCEPT
> > -A PREROUTING -p tcp --dst 144.76.184.154 --dport 8080 -j REDIRECT
> > --to-port 80
> 
> http://www.karlrupp.net/en/computer/nat_tutorial
> 
> # IMPORTANT: Activate IP-forwarding in the kernel!
> 
>    # Disabled by default!
>    $> echo "1" > /proc/sys/net/ipv4/ip_forward
> 
> ~~~~~~~~~~~~~~~
> 
> Is that a solution ?
and this ?


# TCP packets from 192.168.1.2, port 12345 to 12356
# to 123.123.123.123, Port 22
# (a backslash indicates contination at the next line)

iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.2 \
     --sport 12345:12356 -d 123.123.123.123 --dport 22 [...]


-- 
Regards,

Paul.
England, EU.      England's place is in the European Union.

Am 2016-06-21 16:58, schrieb Always Learning:
> On Tue, 2016-06-21 at 15:46 +0100, Always Learning wrote:
> 
>> On Tue, 2016-06-21 at 16:24 +0200, Alexander Farber wrote:
>> 
>> > *nat
>> > :INPUT ACCEPT
>> > :OUTPUT ACCEPT
>> > :PREROUTING ACCEPT
>> > :POSTROUTING ACCEPT
>> > -A PREROUTING -p tcp --dst 144.76.184.154 --dport 8080 -j REDIRECT
>> > --to-port 80
>> 
>> http://www.karlrupp.net/en/computer/nat_tutorial
>> 
>> # IMPORTANT: Activate IP-forwarding in the kernel!
>> 
>>    # Disabled by default!
>>    $> echo "1" > /proc/sys/net/ipv4/ip_forward
>> 
>> ~~~~~~~~~~~~~~~
>> 
>> Is that a solution ?
> 
> and this ?
> 
> 
> # TCP packets from 192.168.1.2, port 12345 to 12356
> # to 123.123.123.123, Port 22
> # (a backslash indicates contination at the next line)
> 
> iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.2 \
>      --sport 12345:12356 -d 123.123.123.123 --dport 22 [...]
Both hints are irrelevant in his case.

He needs port redirection by letting iptables rewrite the TCP header 
destination port. There is no IP forwarding of the kernel involved. 
Neither does he need to do full DNAT (or whatever the incomplete cited 
rule should do; it lacks a target directive).

Alexander

I think I have finally figured it out -

http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html

says that "-j REDIRECT" is just a shortcut for "-j DNAT"
with destination
address being the one of the interface:

"There is a specialized case of Destination NAT called redirection: it is a
simple convenience which is exactly equivalent to doing DNAT to the address
of the incoming interface."

And in my case that just can not work, because my CentOS 7 server has 4 IP
addresses.

(I am sorry, that I haven't mentioned it, because I didn't think it
would
matter).

At "eth0" port 80 I have Apache+WordPress (which can drop root
rights).

And at "eth0:1" port 8080 I run Jetty (which can not drop root
rights). But
I need Jetty at port 80 (so that websockets work for corporate users behind
proxies) and I want it to run as user "nobody".

So I have created a custom systemd service file
/etc/systemd/system/websocket-handler.service to start Jetty:

[Unit]
Description=WebSocket Handler Service
After=network-online.target

[Service]
Type=simple
User=nobody
Group=nobody
ExecStart=/usr/bin/java -classpath '/usr/share/java/jetty/*'
de.afarber.MyHandler 144.76.184.151:8080
ExecStop=/bin/kill ${MAINPID}
SuccessExitStatus=143

[Install]
WantedBy=multi-user.target

And now I have figured out, how to redirect the incoming requests with
net.ipv4.ip_forward=1 in /etc/sysctl.conf and with the following
/etc/sysconfig/iptables:

*filter
:INPUT DROP
:OUTPUT ACCEPT
:FORWARD DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m multiport --dports 25,80,443,8080
-j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 22 --tcp-flags FIN,SYN,RST,ACK
SYN -m limit --limit 2/min --limit-burst 1 -j ACCEPT
-A FORWARD -p tcp --dst 144.76.184.154 --dport 8080 -j ACCEPT
COMMIT

*nat
:INPUT ACCEPT
:OUTPUT ACCEPT
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
-A PREROUTING -p tcp --dst 144.76.184.154 --dport 80 -j DNAT
--to-destination 144.76.184.154:8080
COMMIT

The only thing that I don't understand is if

:INPUT ACCEPT
:OUTPUT ACCEPT
:PREROUTING ACCEPT
:POSTROUTING ACCEPT

is ok (and what it means here) or if I should use DROP.

I have tried few combinations... but I am not sure

Thank you
Alex