Hello, I''m new to this list so please forgive me if my question has been already asked. I searched in the archives and the FAQ (especially here http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html#DNAT ), but I found nothing. My problem is simple: - I have a single public ip on my server (for example: 87.145.23.55) - I have an apache daemon run by a non-root user which is listening on 40240 port I would like to forward all the traffic from the port 80 to the 40240 port. I tried this rule but nothing is forwarded : DNAT net net:87.145.23.55 tcp 40240 80 87.145.23.55 Do you think I can do that and how ? (I''m not a network expert...) regards, -- Stéphane GULLY ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Stéphane Gully wrote:> Hello, > > I''m new to this list so please forgive me if my question has been > already asked. I searched in the archives and the FAQ (especially here > http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html#DNAT ), > but I found nothing. > > My problem is simple: > - I have a single public ip on my server (for example: 87.145.23.55) > - I have an apache daemon run by a non-root user which is listening on > 40240 port > I would like to forward all the traffic from the port 80 to the 40240 port. > > I tried this rule but nothing is forwarded : > DNAT net net:87.145.23.55 tcp 40240 80 87.145.23.55 > > Do you think I can do that and how ? (I''m not a network expert...)You just need this rule: REDIRECT net 40240 tcp 80 - 87.145.23.55 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Tue, Nov 20, 2007 at 09:57:16AM -0800, Tom Eastep wrote:> Stéphane Gully wrote: > > Hello, > > > > I''m new to this list so please forgive me if my question has been > > already asked. I searched in the archives and the FAQ (especially here > > http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html#DNAT ), > > but I found nothing. > > > > My problem is simple: > > - I have a single public ip on my server (for example: 87.145.23.55) > > - I have an apache daemon run by a non-root user which is listening on > > 40240 port > > I would like to forward all the traffic from the port 80 to the 40240 port. > > > > I tried this rule but nothing is forwarded : > > DNAT net net:87.145.23.55 tcp 40240 80 87.145.23.55 > > > > Do you think I can do that and how ? (I''m not a network expert...) > > You just need this rule: > > REDIRECT net 40240 tcp 80 - 87.145.23.55 >While Tom is technically correct, there is a better way. Tom''s solution redirects *all* port 80 traffic to the higher port. If you are doing name-based virtual hosting and want to have some sites served by Apache on port 80 and others redirected to the apache being run by the user on the higher port, then you need to do something else. In the main Apache (the one listening on port 80), you need a virtual host defined like this: <VirtualHost *:80> ServerName www.example.com ServerAdmin webmaster@example.com <IfModule mod_proxy.c> ProxyPass / http://87.145.23.55:40240/ ProxyPassReverse / http://87.145.23.55:40240/ </IfModule> </VirtualHost> Then you configure the other Apache, you configure it however you like. This will allow you to have different users run different Apache instances on high number ports and still have all of them be accessible from the outside world over port 80. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> > You just need this rule: > > > > REDIRECT net 40240 tcp 80 - 87.145.23.55Thank you! This rule didn''t worked for me because these two rules were applied before the REDIRECT: HTTP/ACCEPT net $FW HTTPS/ACCEPT net $FW I just moved both ACCEPT after the REDIRECT and it works well ! (I need these two rules to accept http/https connections coming from other ip)> While Tom is technically correct, there is a better way. > > Tom''s solution redirects *all* port 80 traffic to the higher port. If > you are doing name-based virtual hosting and want to have some sites > served by Apache on port 80 and others redirected to the apache being > run by the user on the higher port, then you need to do something else. > > In the main Apache (the one listening on port 80), you need a virtual > host defined like this: > > <VirtualHost *:80> > ServerName www.example.com > ServerAdmin webmaster@example.com > > <IfModule mod_proxy.c> > ProxyPass / http://87.145.23.55:40240/ > ProxyPassReverse / http://87.145.23.55:40240/ > </IfModule> > </VirtualHost> > > Then you configure the other Apache, you configure it however you like. > This will allow you to have different users run different Apache > instances on high number ports and still have all of them be accessible > from the outside world over port 80.Roberto, it''s funny because I''m going to setup a reverse proxy as you explained above on the 40240 port. Why ? because I need to run the reverse proxy with a non-root user (it''s easier to administer the server). However thank you for your great suggestion. regards, -- Stéphane GULLY http://www.zeitoun.net ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Wed, Nov 21, 2007 at 08:31:15PM +0100, Stéphane Gully wrote:> > > You just need this rule: > > > > > > REDIRECT net 40240 tcp 80 - 87.145.23.55 > Thank you! > This rule didn''t worked for me because these two rules were applied > before the REDIRECT: > HTTP/ACCEPT net $FW > HTTPS/ACCEPT net $FW > I just moved both ACCEPT after the REDIRECT and it works well ! > (I need these two rules to accept http/https connections coming from other ip) >Just realize that all if you are doing name based virtualhosts, then anything listening on port 80 will no longer be accessible.> > Roberto, it''s funny because I''m going to setup a reverse proxy as you > explained above on the 40240 port. > Why ? because I need to run the reverse proxy with a non-root user > (it''s easier to administer the server). > However thank you for your great suggestion. >No problem. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Roberto C. Sánchez <roberto <at> connexer.com> writes:> > On Wed, Nov 21, 2007 at 08:31:15PM +0100, Stéphane Gully wrote: > > > > You just need this rule: > > > > > > > > REDIRECT net 40240 tcp 80 - 87.145.23.55Thanks Roberto for pointing this thread out. I just have one question, my system does not have a static IP address as it is assigned via DHCP. Is it possible to apply this rule using 127.0.0.1, localhost or using the domain name somehow? Thanks again, Jean-Philippe ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
On Wed, Nov 28, 2007 at 12:38:07AM +0000, Jean-Philippe Steinmetz wrote:> Roberto C. Sánchez <roberto <at> connexer.com> writes: > > > > > On Wed, Nov 21, 2007 at 08:31:15PM +0100, Stéphane Gully wrote: > > > > > You just need this rule: > > > > > > > > > > REDIRECT net 40240 tcp 80 - 87.145.23.55 > > Thanks Roberto for pointing this thread out. I just have one question, > my system does not have a static IP address as it is assigned via DHCP. Is > it possible to apply this rule using 127.0.0.1, localhost or using the domain > name somehow? >No. You would need the address for the ORIGINAL DEST column. In your case, I would recommend my approach. Run apache on port 80 and the have it use ProxyPass and ProxyPassReverse to http://127.0.0.1:49999/ (or whatever you high-numbered port is). Then there is no need to involve Shorewall beyond opening port 80 and you don''t even need to open the high-numbered port. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
On Tue, Nov 27, 2007 at 05:00:29PM -0800, Jean-Philippe Steinmetz wrote:> > I actually just tried using > > REDIRECT net 40240 tcp 80 - - > > And it appears to have worked. I will continue to further test this but if I > can avoid running apache (no particular reason other than to save precious > resources) then great. >I''ve not tried that personally. Perhaps Tom or someone else can comment on whether that is a good idea in the first place. Now, this may seem like a dumb question. If you are not running Apache, then why not just have Tomcat on port 80? Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
Roberto C. Sánchez wrote:> On Tue, Nov 27, 2007 at 05:00:29PM -0800, Jean-Philippe Steinmetz wrote: >> I actually just tried using >> >> REDIRECT net 40240 tcp 80 - - >> >> And it appears to have worked. I will continue to further test this but if I >> can avoid running apache (no particular reason other than to save precious >> resources) then great. >> > I''ve not tried that personally. Perhaps Tom or someone else can comment > on whether that is a good idea in the first place. >Omitting ORIGINAL DEST works fine so long as you want all connections to the DEST PORT(S) redirected, regardless of destination IP address. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
> No. You would need the address for the ORIGINAL DEST column. > In your case, I would recommend my approach. Run apache on > port 80 and the have it use ProxyPass and ProxyPassReverse to > http://127.0.0.1:49999/ (or whatever you high-numbered port > is). Then there is no need to involve Shorewall beyond > opening port 80 and you don''t even need to open the > high-numbered port. > > Regards, > > -Roberto > -- > Roberto C. Sánchez > http://people.connexer.com/~roberto > http://www.connexer.com >I actually just tried using REDIRECT net 40240 tcp 80 - - And it appears to have worked. I will continue to further test this but if I can avoid running apache (no particular reason other than to save precious resources) then great. Jean-Philippe ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
Jean-Philippe Steinmetz wrote:> I have spent hours searching for ways and > everyone seems to think redirection is the only option. If you know of a way > to get Debian to allow Tomcat to bind at port 80 I would love to know.The behavior you describe is mandated by IEEE 1003.1 (the POSIX standard). All Unix systems behave that way with respect to low port numbers. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
> I''ve not tried that personally. Perhaps Tom or someone else > can comment on whether that is a good idea in the first place. > > Now, this may seem like a dumb question. If you are not > running Apache, then why not just have Tomcat on port 80? > > Regards, > > -Roberto > > -- > Roberto C. Sánchez > http://people.connexer.com/~roberto > http://www.connexer.com >Definitely not a dumb question. I would love to run Tomcat on port 80 but I discovered that (under debian at least) I am unable to run Tomcat as a non-root user on any port under 1024 (linux security). I am also not very keen on running Tomcat as root. I have spent hours searching for ways and everyone seems to think redirection is the only option. If you know of a way to get Debian to allow Tomcat to bind at port 80 I would love to know. Jean-Philippe ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
On Tue, Nov 27, 2007 at 05:08:09PM -0800, Jean-Philippe Steinmetz wrote:> > Definitely not a dumb question. I would love to run Tomcat on port 80 but I > discovered that (under debian at least) I am unable to run Tomcat as a > non-root user on any port under 1024 (linux security). I am also not very > keen on running Tomcat as root. I have spent hours searching for ways and > everyone seems to think redirection is the only option. If you know of a way > to get Debian to allow Tomcat to bind at port 80 I would love to know. >Ewww. You would think it would have some way to reduce its privileges like Apache (or nearly any other daemon) to something less than root. Of course, I have not worked with Tomcat, so I would not know. However, if you have asked experts and they say to redirect, then that may be the only way. Of course, as data point, Apache on one of my busier production servers has a vsize (virtual memory) ~150MB and rsize (resident memory) ~25MB. On the development servers which see much less activity it is about 1/3 to 1/2 of that. And that is with all sorts of modules loaded and each serving quite a few websites as virtual hosts. If you only run apache with mod_proxy enabled and then only to act as a proxy to your Tomcat install, it will not use much memory. In any event, Tom has provided a good explantion for what leaving ORIGINAL DEST out will do. So you have all the information you need to make a decision. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
Jean-Philippe Steinmetz wrote:> Definitely not a dumb question. I would love to run Tomcat on port 80 but I > discovered that (under debian at least) I am unable to run Tomcat as a > non-root user on any port under 1024 (linux security). I am also not very > keen on running Tomcat as root. I have spent hours searching for ways and > everyone seems to think redirection is the only option. If you know of a way > to get Debian to allow Tomcat to bind at port 80 I would love to know.Anything meeting this criteria could be termed an exploit. An alternative to iptables for simulating this behavior is xinetd. See http://www.ibm.com/developerworks/java/library/l-secjav.html#h5 ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
> Jean-Philippe Steinmetz wrote: >> Definitely not a dumb question. I would love to run Tomcat on port 80 >> but I >> discovered that (under debian at least) I am unable to run Tomcat as a >> non-root user on any port under 1024 (linux security). I am also not >> very >> keen on running Tomcat as root. I have spent hours searching for ways >> and >> everyone seems to think redirection is the only option. If you know of a >> way >> to get Debian to allow Tomcat to bind at port 80 I would love to know. > Anything meeting this criteria could be termed an exploit. An > alternative to iptables for simulating this behavior is xinetd. See > http://www.ibm.com/developerworks/java/library/l-secjav.html#h5Another good and lightweight solution is to run Pound http://www.apsis.ch/pound/index_html in front of Tomcat. As a http reverse proxy you can add some additional security through it. I''m using it in front of JBoss and also terminate SSL on Pound. Simon ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4