RE: Instructions on how to redirect port 80 to port 8080

RE: Instructions on how to redirect port 80 to port 8080

[Martinez, Michael]

[-- Attachment #1: Type: text/plain, Size: 1302 bytes --]

Iptables v1.2.8
Smp kernel 2.4.21-4.EL

Regards,
 
Michael Martinez
ISTM/CSREES
United States Department of Agriculture
---
This email is signed with my digital signature so that you may verify
the authenticity of the sender.

--> -----Original Message-----
--> From: Antony Stone [mailto:Antony@Soft-Solutions.co.uk] 
--> Sent: Wednesday, February 18, 2004 2:11 PM
--> To: Netfilter
--> Subject: Re: Instructions on how to redirect port 80 to port 8080
--> 
--> 
--> On Wednesday 18 February 2004 7:06 pm, Martinez, Michael wrote:
--> 
--> > Maybe I ought to upgrade iptables ....
--> 
--> What versions of iptables and kernel are you running?
--> 
--> Antony.
--> 
--> -- 
--> "Reports that say that something hasn't happened are always 
--> interesting to me, 
--> because as we know, there are known knowns; there are 
--> things we know we know. 
--> We also know there are known unknowns; that is to say we 
--> know there are some 
--> things we do not know. But there are also unknown unknowns 
--> - the ones we 
--> don't know we don't know."
--> 
-->  - Donald Rumsfeld, US Secretary of Defence
--> 
-->                                                      Please 
--> reply to the list;
-->                                                            
--> please don't CC me.
--> 
--> 
--> 

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 3733 bytes --]

Re: Instructions on how to redirect port 80 to port 8080

[Antony Stone]

On Wednesday 18 February 2004 7:06 pm, Martinez, Michael wrote:

> Maybe I ought to upgrade iptables ....

What versions of iptables and kernel are you running?

Antony.

-- 
"Reports that say that something hasn't happened are always interesting to me, 
because as we know, there are known knowns; there are things we know we know. 
We also know there are known unknowns; that is to say we know there are some 
things we do not know. But there are also unknown unknowns - the ones we 
don't know we don't know."

 - Donald Rumsfeld, US Secretary of Defence

                                                     Please reply to the list;
                                                           please don't CC me.

RE: Instructions on how to redirect port 80 to port 8080

[Martinez, Michael]

[-- Attachment #1: Type: text/plain, Size: 1470 bytes --]

Maybe I ought to upgrade iptables ....

Regards,
 
Michael Martinez
ISTM/CSREES
United States Department of Agriculture
---
This email is signed with my digital signature so that you may verify
the authenticity of the sender.

--> -----Original Message-----
--> From: Antony Stone [mailto:Antony@Soft-Solutions.co.uk] 
--> Sent: Wednesday, February 18, 2004 2:03 PM
--> To: Netfilter
--> Subject: Re: Instructions on how to redirect port 80 to port 8080
--> 
--> 
--> On Wednesday 18 February 2004 6:47 pm, Martinez, Michael wrote:
--> 
--> > I put the logging in, and it's logging stuff ... But 
--> logging absolutely
--> > nothing when I "telnet 80" or "telnet 8080" to this box.
--> 
--> In that case, the packets addressed to port 80 or port 8080 
--> are not getting 
--> rejected by the last rule in your user-defined chain.
--> 
--> Either they are not even reaching your machine at all (you 
--> don't have some 
--> sort of transparent proxying on your network, by any 
--> chance, do you?), or 
--> else they are reaching the application (web server) and 
--> being accepted or 
--> rejected there.
--> 
--> > ???!!
--> 
--> I am afraid to say that I agree with this observation :(
--> 
--> Regards,
--> 
--> Antony
--> 
--> -- 
--> I'm pink, therefore I'm Spam.
-->                                                      Please 
--> reply to the list;
-->                                                            
--> please don't CC me.
--> 
--> 
--> 
--> 

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 3733 bytes --]

Re: Instructions on how to redirect port 80 to port 8080

[Antony Stone]

On Wednesday 18 February 2004 6:47 pm, Martinez, Michael wrote:

> I put the logging in, and it's logging stuff ... But logging absolutely
> nothing when I "telnet 80" or "telnet 8080" to this box.

In that case, the packets addressed to port 80 or port 8080 are not getting 
rejected by the last rule in your user-defined chain.

Either they are not even reaching your machine at all (you don't have some 
sort of transparent proxying on your network, by any chance, do you?), or 
else they are reaching the application (web server) and being accepted or 
rejected there.

> ???!!

I am afraid to say that I agree with this observation :(

Regards,

Antony

-- 
I'm pink, therefore I'm Spam.
                                                     Please reply to the list;
                                                           please don't CC me.

RE: Instructions on how to redirect port 80 to port 8080

[Martinez, Michael]

[-- Attachment #1: Type: text/plain, Size: 1693 bytes --]

I put the logging in, and it's logging stuff ... But logging absolutely
nothing when I "telnet 80" or "telnet 8080" to this box.


???!!

Regards,
 
Michael Martinez
ISTM/CSREES
United States Department of Agriculture
---
This email is signed with my digital signature so that you may verify
the authenticity of the sender.

--> -----Original Message-----
--> From: Antony Stone [mailto:Antony@Soft-Solutions.co.uk] 
--> Sent: Wednesday, February 18, 2004 11:22 AM
--> To: Netfilter
--> Subject: Re: Instructions on how to redirect port 80 to port 8080
--> 
--> 
--> On Wednesday 18 February 2004 4:07 pm, Martinez, Michael wrote:
--> 
--> > Antony,
--> >
--> > Being an iptables newbie ... How would I log all rejected packets?
--> 
--> Just before the line which says 
--> 
--> iptables -A RH-Firewall-1-INPUT -j REJECT --reject-with 
--> icmp-host-prohibited
--> 
--> you insert one which says
--> 
--> iptables -A RH-Firewall-1-INPUT -j LOG
--> 
--> If you want to be a bit sophisticated about it:
--> 
--> iptables -A RH-Firewall-1-INPUT -j LOG --log-level=info 
--> --log-prefix="Reject:"
--> 
--> That way, the logs will go to /var/log/messages and will 
--> have "Reject:" in 
--> them so you can easily identify what they mean.
--> 
--> Regards,
--> 
--> Antony.
--> 
--> -- 
--> All matter in the Universe can be placed into one of two categories:
--> 
--> 1. Things which need to be fixed.
--> 2. Things which need to be fixed once you've had a few 
--> minutes to play with 
--> them.
--> 
-->                                                      Please 
--> reply to the list;
-->                                                            
--> please don't CC me.
--> 
--> 
--> 

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 3733 bytes --]

RE: Instructions on how to redirect port 80 to port 8080

[Martinez, Michael]

[-- Attachment #1: Type: text/plain, Size: 2784 bytes --]

Well .. Dns is working. Either way, give it ip address or fqdn, it
doesn't work. Fails in the same manner.

Regards,
 
Michael Martinez
ISTM/CSREES
United States Department of Agriculture
---
This email is signed with my digital signature so that you may verify
the authenticity of the sender.

--> -----Original Message-----
--> From: Alexis [mailto:alexis@attla.net.ar] 
--> Sent: Wednesday, February 18, 2004 12:29 PM
--> To: Martinez, Michael
--> Cc: Antony Stone; Netfilter
--> Subject: RE: Instructions on how to redirect port 80 to port 8080
--> 
--> 
--> and `hostname` what ip address resolve??
--> 
--> 
--> 
--> On Wed, 2004-02-18 at 11:06, Martinez, Michael wrote:
--> > --> On Tuesday 17 February 2004 7:10 pm, Alexis wrote:
--> > --> 
--> > --> > iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to
--> > --> > x.x.x.x:8080
--> > --> 
--> > --> You might prefer to use REDIRECT - it's like DNAT, but only 
--> > --> allows you to 
--> > --> specify the port number, and forces the IP address to the 
--> > --> local machine:
--> > --> 
--> > --> iptables -A PREROUTING -t nat -d a.b.c.d -p tcp --dport 80 
--> > --> -j REDIRECT --to 
--> > --> 8080
--> > --> 
--> > 
--> > This isn't working. I can "telnet `hostname` 8080" and get an http
--> > response, but when I do "telnet `hostname` 80" the 
--> response I get is
--> > "telnet: Unable to connect to remote host: Connection refused."
--> > 
--> > Here's my iptables-save output:
--> > 
--> > # Generated by iptables-save v1.2.8 on Wed Feb 18 09:09:04 2004
--> > *nat
--> > :PREROUTING ACCEPT [44:5084]
--> > :POSTROUTING ACCEPT [43:2580]
--> > :OUTPUT ACCEPT [43:2580]
--> > -A PREROUTING -d 199.128.238.12 -p tcp -m tcp --dport 80 
--> -j REDIRECT
--> > --to-ports 8080
--> > COMMIT
--> > # Completed on Wed Feb 18 09:09:04 2004
--> > # Generated by iptables-save v1.2.8 on Wed Feb 18 09:09:04 2004
--> > *filter
--> > :INPUT ACCEPT [0:0]
--> > :FORWARD ACCEPT [0:0]
--> > :OUTPUT ACCEPT [417:40204]
--> > :RH-Firewall-1-INPUT - [0:0]
--> > -A INPUT -j RH-Firewall-1-INPUT
--> > -A FORWARD -j RH-Firewall-1-INPUT
--> > -A RH-Firewall-1-INPUT -i lo -j ACCEPT
--> > -A RH-Firewall-1-INPUT -p icmp -m icmp any -j ACCEPT
--> > -A RH-Firewall-1-INPUT -p esp -j ACCEPT
--> > -A RH-Firewall-1-INPUT -p ah -j ACCEPT
--> > -A RH-Firewall-1-INPUT -m state --state 
--> RELATED,ESTABLISHED -j ACCEPT
--> > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp 
--> --dport 22 -j
--> > ACCEPT
--> > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp 
--> --dport 80 -j
--> > ACCEPT
--> > -A RH-Firewall-1-INPUT -j REJECT --reject-with 
--> icmp-host-prohibited
--> > COMMIT
--> > # Completed on Wed Feb 18 09:09:04 2004
--> > 
--> > 
--> > Mike Martinez
--> -- 
--> Alexis <alexis@attla.net.ar>
--> 
--> 

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 3733 bytes --]

RE: Instructions on how to redirect port 80 to port 8080

[Alexis]

and `hostname` what ip address resolve??



On Wed, 2004-02-18 at 11:06, Martinez, Michael wrote:
> --> On Tuesday 17 February 2004 7:10 pm, Alexis wrote:
> --> 
> --> > iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to
> --> > x.x.x.x:8080
> --> 
> --> You might prefer to use REDIRECT - it's like DNAT, but only 
> --> allows you to 
> --> specify the port number, and forces the IP address to the 
> --> local machine:
> --> 
> --> iptables -A PREROUTING -t nat -d a.b.c.d -p tcp --dport 80 
> --> -j REDIRECT --to 
> --> 8080
> --> 
> 
> This isn't working. I can "telnet `hostname` 8080" and get an http
> response, but when I do "telnet `hostname` 80" the response I get is
> "telnet: Unable to connect to remote host: Connection refused."
> 
> Here's my iptables-save output:
> 
> # Generated by iptables-save v1.2.8 on Wed Feb 18 09:09:04 2004
> *nat
> :PREROUTING ACCEPT [44:5084]
> :POSTROUTING ACCEPT [43:2580]
> :OUTPUT ACCEPT [43:2580]
> -A PREROUTING -d 199.128.238.12 -p tcp -m tcp --dport 80 -j REDIRECT
> --to-ports 8080
> COMMIT
> # Completed on Wed Feb 18 09:09:04 2004
> # Generated by iptables-save v1.2.8 on Wed Feb 18 09:09:04 2004
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [417:40204]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp -m icmp any -j ACCEPT
> -A RH-Firewall-1-INPUT -p esp -j ACCEPT
> -A RH-Firewall-1-INPUT -p ah -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> # Completed on Wed Feb 18 09:09:04 2004
> 
> 
> Mike Martinez
-- 
Alexis <alexis@attla.net.ar>

Re: Instructions on how to redirect port 80 to port 8080

[Antony Stone]

On Wednesday 18 February 2004 4:07 pm, Martinez, Michael wrote:

> Antony,
>
> Being an iptables newbie ... How would I log all rejected packets?

Just before the line which says 

iptables -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

you insert one which says

iptables -A RH-Firewall-1-INPUT -j LOG

If you want to be a bit sophisticated about it:

iptables -A RH-Firewall-1-INPUT -j LOG --log-level=info --log-prefix="Reject:"

That way, the logs will go to /var/log/messages and will have "Reject:" in 
them so you can easily identify what they mean.

Regards,

Antony.

-- 
All matter in the Universe can be placed into one of two categories:

1. Things which need to be fixed.
2. Things which need to be fixed once you've had a few minutes to play with 
them.

                                                     Please reply to the list;
                                                           please don't CC me.

RE: Instructions on how to redirect port 80 to port 8080

[Martinez, Michael]

[-- Attachment #1: Type: text/plain, Size: 3056 bytes --]

Antony,

Being an iptables newbie ... How would I log all rejected packets?

Regards,
 
Michael Martinez
ISTM/CSREES
United States Department of Agriculture
---
This email is signed with my digital signature so that you may verify
the authenticity of the sender.

--> -----Original Message-----
--> From: Antony Stone [mailto:Antony@Soft-Solutions.co.uk] 
--> Sent: Wednesday, February 18, 2004 10:08 AM
--> To: Netfilter
--> Subject: Re: Instructions on how to redirect port 80 to port 8080
--> 
--> 
--> On Wednesday 18 February 2004 2:31 pm, Martinez, Michael wrote:
--> 
--> > --> Please flush the counters on your rules using "iptables -Z;
--> > --> iptables -Z -t nat", connect to port 8080, and then 
--> tell us the output
--> > --> of "iptables -L -nvx;
--> 
--> I've eliminated most of the lines which have zero packet 
--> counts, as they mean 
--> no traffic was seen:
--> 
--> > Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
--> >     pkts      bytes target     prot opt in     out     source
--> > destination
--> >      131    10661 RH-Firewall-1-INPUT  all  --  *      *  
-->      0.0.0.0/0
--> > 0.0.0.0/0
--> 
--> 131 packets in total, all from your user-defined chain...
--> 
--> > Chain RH-Firewall-1-INPUT (2 references)
--> >     pkts      bytes target     prot opt in     out     source
--> > destination
--> >       36     1828 ACCEPT     all  --  lo     *       0.0.0.0/0
--> > 0.0.0.0/0
--> 
--> 36 packets on the loopback interface - any idea what this is?
--> 
--> >       82     5404 ACCEPT     all  --  *      *       0.0.0.0/0
--> > 0.0.0.0/0          state RELATED,ESTABLISHED
--> 
--> 82 packets ESTABLISHED or RELATED came in
--> 
--> >        1       48 ACCEPT     tcp  --  *      *       0.0.0.0/0
--> > 0.0.0.0/0          state NEW tcp dpt:22
--> 
--> One packet on port 22 (SSH)
--> 
--> >        0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0
--> > 0.0.0.0/0          state NEW tcp dpt:80
--> 
--> NO packets on port 80...
--> 
--> >       12     3381 REJECT     all  --  *      *       0.0.0.0/0
--> > 0.0.0.0/0          reject-with icmp-host-prohibited
--> 
--> And 12 rejected packets - maybe LOGging these before 
--> rejecting them would be 
--> helpful in this case, just so we know what they are?
--> 
--> > --> iptables -L -t nat -nvx".
--> >
--> > Chain PREROUTING (policy ACCEPT 19 packets, 4845 bytes)
--> >     pkts      bytes target     prot opt in     out     source
--> > destination
--> >        0        0 REDIRECT   tcp  --  *      *       0.0.0.0/0
--> > 199.128.238.12     tcp dpt:80 redir ports 8080
--> 
--> And NO packets got redirected from 80 to 8080...
--> 
--> I still don't see how you are successfully getting a 
--> connection on port 8080 
--> when there is no rule to allow it.
--> 
--> Regards,
--> 
--> Antony.
--> 
--> -- 
--> There are two possible outcomes:
--> 
-->  If the result confirms the hypothesis, then you've made a 
--> measurement.
-->  If the result is contrary to the hypothesis, then you've 
--> made a discovery.
--> 
-->  - Enrico Fermi
--> 
--> 
--> 

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 3733 bytes --]

Re: Instructions on how to redirect port 80 to port 8080

[Antony Stone]

On Wednesday 18 February 2004 3:01 pm, Fabian Hartmann wrote:

> > The telnet's being done from the box itself, telneting to the network ip
> > (not loopback) of the box.

Oh!   I recommend not doing this, since it doesn't test the same bits of the 
ruleset as packets coming from another machine (which is what I assume you 
really want the rules to do).   I did think you were testing from another 
machine.

> > The same response occurs if the telnet is done from another box.

In that case put a LOG rule just before the REJECT, as I suggested in my last 
posting, then we can see exactly what got REJECTed.

Antony.

-- 
If you want to be happy for an hour, get drunk.
If you want to be happy for a year, get married.
If you want to be happy for a lifetime, get a garden.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Instructions on how to redirect port 80 to port 8080

[Antony Stone]

On Wednesday 18 February 2004 2:31 pm, Martinez, Michael wrote:

> --> Please flush the counters on your rules using "iptables -Z;
> --> iptables -Z -t nat", connect to port 8080, and then tell us the output
> --> of "iptables -L -nvx;

I've eliminated most of the lines which have zero packet counts, as they mean 
no traffic was seen:

> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
>     pkts      bytes target     prot opt in     out     source
> destination
>      131    10661 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0

131 packets in total, all from your user-defined chain...

> Chain RH-Firewall-1-INPUT (2 references)
>     pkts      bytes target     prot opt in     out     source
> destination
>       36     1828 ACCEPT     all  --  lo     *       0.0.0.0/0
> 0.0.0.0/0

36 packets on the loopback interface - any idea what this is?

>       82     5404 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0          state RELATED,ESTABLISHED

82 packets ESTABLISHED or RELATED came in

>        1       48 ACCEPT     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          state NEW tcp dpt:22

One packet on port 22 (SSH)

>        0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          state NEW tcp dpt:80

NO packets on port 80...

>       12     3381 REJECT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0          reject-with icmp-host-prohibited

And 12 rejected packets - maybe LOGging these before rejecting them would be 
helpful in this case, just so we know what they are?

> --> iptables -L -t nat -nvx".
>
> Chain PREROUTING (policy ACCEPT 19 packets, 4845 bytes)
>     pkts      bytes target     prot opt in     out     source
> destination
>        0        0 REDIRECT   tcp  --  *      *       0.0.0.0/0
> 199.128.238.12     tcp dpt:80 redir ports 8080

And NO packets got redirected from 80 to 8080...

I still don't see how you are successfully getting a connection on port 8080 
when there is no rule to allow it.

Regards,

Antony.

-- 
There are two possible outcomes:

 If the result confirms the hypothesis, then you've made a measurement.
 If the result is contrary to the hypothesis, then you've made a discovery.

 - Enrico Fermi

RE: Instructions on how to redirect port 80 to port 8080

[Fabian Hartmann]

> The telnet's being done from the box itself, telneting to the network ip
> (not loopback) of the box. The same response occurs if the telnet is
> done from another box.
> 
if you do telnet from the localhost, you must have a rule in the OUTPUT chain, 
which redirects packets from port 80 to 8080. otherwise you won't be 
redirected! (Locally generated packets always go out through OUTPUT chain)

something like this should help
iptables -A OUTPUT -t nat -p tcp --dport 80 -j REDIRECT --to 8080

or try telnet from the LAN, which should work with the PREROUTING Rule.
> 
> --> -----Original Message-----
> --> From: Fabian Hartmann [mailto:realdeal@realdealz.ch] 
> --> Sent: Wednesday, February 18, 2004 9:53 AM
> --> To: Martinez, Michael
> --> Subject: RE: Instructions on how to redirect port 80 to port 8080
> --> 
> --> 
> --> > 
> --> > This isn't working. I can "telnet `hostname` 8080" and get an http
> --> > response, but when I do "telnet `hostname` 80" the 
> --> response I get is
> --> > "telnet: Unable to connect to remote host: Connection refused."
> --> > 
> --> Where are you doing the telnet from? from the lan or from 
> --> the firewall itself?
> --> 
> --> ---
> --> Fabian Hartmann
> --> 
> --> realdeal@realdealz.ch
> --> www.realdealz.ch
> --> 
> 


---
Fabian Hartmann

realdeal@realdealz.ch
www.realdealz.ch

RE: Instructions on how to redirect port 80 to port 8080

[Sven-Åke Larsson]

 
Hi, 

This is almost off topic, but...
When you finally have the ruleset working, you will still tear your hair of
when you try to look at the web site in a MicroWhatever Internet Explorer -
especially when the "The page cannot be displayed" message hits your face.
Why? Because IE cannot resolve your address if your server is listening on
another port than 80, so every time someone tries to connect to your site by
typing www.your.domain:8080 without "http://" in the beginning, they will
get the error message. 
Actually, the error appers even if someone types your.domain:80 without http
but it almost never happens. Funny, isn't it?

And yes, I have a uge chunk of hair ripped of just above my ears. ;-)

Regards,
S-Å



-----Original Message-----
From: Antony Stone
To: Netfilter
Sent: 2004-02-18 15:19
Subject: Re: Instructions on how to redirect port 80 to port 8080

On Wednesday 18 February 2004 2:06 pm, Martinez, Michael wrote:

> --> iptables -A PREROUTING -t nat -d a.b.c.d -p tcp --dport 80
> --> -j REDIRECT --to 8080
>
> This isn't working. I can "telnet `hostname` 8080" and get an http
> response, but when I do "telnet `hostname` 80" the response I get is
> "telnet: Unable to connect to remote host: Connection refused."

Given the ruleset you've posted, I don't see how a telnet to 8080 can
work, 
since you have no INPUT rule allowing packets to that port...

Please flush the counters on your rules using "iptables -Z; iptables -Z
-t 
nat", connect to port 8080, and then tell us the output of "iptables -L
-nvx; 
iptables -L -t nat -nvx".

RE: Instructions on how to redirect port 80 to port 8080

[Martinez, Michael]

[-- Attachment #1: Type: text/plain, Size: 2696 bytes --]

--> On Wednesday 18 February 2004 2:06 pm, Martinez, Michael wrote:
--> 
--> > --> iptables -A PREROUTING -t nat -d a.b.c.d -p tcp --dport 80
--> > --> -j REDIRECT --to 8080
--> >
--> > This isn't working. I can "telnet `hostname` 8080" and get an http
--> > response, but when I do "telnet `hostname` 80" the 
--> response I get is
--> > "telnet: Unable to connect to remote host: Connection refused."
--> 
--> Given the ruleset you've posted, I don't see how a telnet 
--> to 8080 can work, 
--> since you have no INPUT rule allowing packets to that port...
--> 
--> Please flush the counters on your rules using "iptables -Z; 
--> iptables -Z -t 
--> nat", 

Done

--> connect to port 8080, and then tell us the output of 
--> "iptables -L -nvx;

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source
destination
     131    10661 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source
destination
       0        0 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain OUTPUT (policy ACCEPT 102 packets, 8080 bytes)
    pkts      bytes target     prot opt in     out     source
destination

Chain RH-Firewall-1-INPUT (2 references)
    pkts      bytes target     prot opt in     out     source
destination
      36     1828 ACCEPT     all  --  lo     *       0.0.0.0/0
0.0.0.0/0
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0          icmp type 255
       0        0 ACCEPT     esp  --  *      *       0.0.0.0/0
0.0.0.0/0
       0        0 ACCEPT     ah   --  *      *       0.0.0.0/0
0.0.0.0/0
      82     5404 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED
       1       48 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp dpt:22
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp dpt:80
      12     3381 REJECT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          reject-with icmp-host-prohibited
 
--> iptables -L -t nat -nvx".

Chain PREROUTING (policy ACCEPT 19 packets, 4845 bytes)
    pkts      bytes target     prot opt in     out     source
destination
       0        0 REDIRECT   tcp  --  *      *       0.0.0.0/0
199.128.238.12     tcp dpt:80 redir ports 8080

Chain POSTROUTING (policy ACCEPT 34 packets, 2054 bytes)
    pkts      bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 34 packets, 2054 bytes)
    pkts      bytes target     prot opt in     out     source
destination

Mike Martinez

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 3733 bytes --]

Re: Instructions on how to redirect port 80 to port 8080

[Antony Stone]

On Wednesday 18 February 2004 2:06 pm, Martinez, Michael wrote:

> --> iptables -A PREROUTING -t nat -d a.b.c.d -p tcp --dport 80
> --> -j REDIRECT --to 8080
>
> This isn't working. I can "telnet `hostname` 8080" and get an http
> response, but when I do "telnet `hostname` 80" the response I get is
> "telnet: Unable to connect to remote host: Connection refused."

Given the ruleset you've posted, I don't see how a telnet to 8080 can work, 
since you have no INPUT rule allowing packets to that port...

Please flush the counters on your rules using "iptables -Z; iptables -Z -t 
nat", connect to port 8080, and then tell us the output of "iptables -L -nvx; 
iptables -L -t nat -nvx".

> -A PREROUTING -d 199.128.238.12 -p tcp -m tcp --dport 80 -j REDIRECT
> --to-ports 8080

> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [417:40204]
> :RH-Firewall-1-INPUT - [0:0]
>
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp -m icmp any -j ACCEPT
> -A RH-Firewall-1-INPUT -p esp -j ACCEPT
> -A RH-Firewall-1-INPUT -p ah -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

Regards,

Antony.

-- 
Never write it in Perl if you can do it in Awk.
Never do it in Awk if sed can handle it.
Never use sed when tr can do the job.
Never invoke tr when cat is sufficient.
Avoid using cat whenever possible.

RE: Instructions on how to redirect port 80 to port 8080

[Martinez, Michael]

[-- Attachment #1: Type: text/plain, Size: 1708 bytes --]

--> On Tuesday 17 February 2004 7:10 pm, Alexis wrote:
--> 
--> > iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to
--> > x.x.x.x:8080
--> 
--> You might prefer to use REDIRECT - it's like DNAT, but only 
--> allows you to 
--> specify the port number, and forces the IP address to the 
--> local machine:
--> 
--> iptables -A PREROUTING -t nat -d a.b.c.d -p tcp --dport 80 
--> -j REDIRECT --to 
--> 8080
--> 

This isn't working. I can "telnet `hostname` 8080" and get an http
response, but when I do "telnet `hostname` 80" the response I get is
"telnet: Unable to connect to remote host: Connection refused."

Here's my iptables-save output:

# Generated by iptables-save v1.2.8 on Wed Feb 18 09:09:04 2004
*nat
:PREROUTING ACCEPT [44:5084]
:POSTROUTING ACCEPT [43:2580]
:OUTPUT ACCEPT [43:2580]
-A PREROUTING -d 199.128.238.12 -p tcp -m tcp --dport 80 -j REDIRECT
--to-ports 8080
COMMIT
# Completed on Wed Feb 18 09:09:04 2004
# Generated by iptables-save v1.2.8 on Wed Feb 18 09:09:04 2004
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [417:40204]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Feb 18 09:09:04 2004


Mike Martinez

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 3733 bytes --]

Re: Instructions on how to redirect port 80 to port 8080

[Antony Stone]

On Tuesday 17 February 2004 7:10 pm, Alexis wrote:

> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to
> x.x.x.x:8080

You might prefer to use REDIRECT - it's like DNAT, but only allows you to 
specify the port number, and forces the IP address to the local machine:

iptables -A PREROUTING -t nat -d a.b.c.d -p tcp --dport 80 -j REDIRECT --to 
8080

(Note that I've added a "-d a.b.c.d" where a.b.c.d is the IP address of the 
machine with the rule on it - otherwise it would redirect *all* TCP port 80 
traffic, whether it was originally addressed to this machine or somewhere 
else.)

Regards,

Antony.

> On Tue, 2004-02-17 at 16:04, Alexis wrote:
> > iptables -t mangle -A PREROUTING -p tcp --dport 80 -j DNAT --to
> > x.x.x.x:8080
> >
> > could be a start :)
> >
> > On Tue, 2004-02-17 at 15:55, Martinez, Michael wrote:
> > > Guys -
> > >
> > > I'm finding a lack of documentation describing how to do this. It ought
> > > to be simple. I know how to do it with ipchains.
> > >
> > > On a redhat linux system using /etc/sysconfig/iptables, what line(s) do
> > > I add to /etc/sysconfig/iptables to configure to redirect all inbound
> > > port 80 traffic to port 8080 on the same host?
> > >
> > > Thank  you -
> > >
> > > Regards,
> > >
> > > Michael Martinez
> > > ISTM/CSREES
> > > United States Department of Agriculture
> > > ---
> > > This email is signed with my digital signature so that you may verify
> > > the authenticity of the sender.

-- 
These clients are often infected by viruses or other malware and need to be 
fixed.  If not, the user at that client needs to be fixed...

 - Henrik Nordstrom, on Squid user's mailing list

                                                     Please reply to the list;
                                                           please don't CC me.

RE: Instructions on how to redirect port 80 to port 8080

[Martinez, Michael]

[-- Attachment #1: Type: text/plain, Size: 1805 bytes --]

Seems like it ought to work, but it doesn't. Maybe I should turn
iptables logging on ... Any simple way of doing this? Bear with me, I'm
real new to iptables, I haven't taken the time to learn it yet.

Regards,
 
Michael Martinez
ISTM/CSREES
United States Department of Agriculture
---
This email is signed with my digital signature so that you may verify
the authenticity of the sender.

--> -----Original Message-----
--> From: Alexis [mailto:alexis@attla.net.ar] 
--> Sent: Tuesday, February 17, 2004 2:10 PM
--> To: Netfilter
--> Cc: Martinez, Michael
--> Subject: Re: Instructions on how to redirect port 80 to port 8080
--> 
--> 
--> sorry, my mistake this line is wrong 
--> 
--> change mangle for nat
--> 
--> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to
--> x.x.x.x:8080
--> 
--> 
--> 
--> On Tue, 2004-02-17 at 16:04, Alexis wrote:
--> > iptables -t mangle -A PREROUTING -p tcp --dport 80 -j DNAT --to
--> > x.x.x.x:8080
--> > 
--> > could be a start :)
--> > 
--> > 
--> > 
--> > On Tue, 2004-02-17 at 15:55, Martinez, Michael wrote:
--> > > Guys - 
--> > > 
--> > > I'm finding a lack of documentation describing how to 
--> do this. It ought
--> > > to be simple. I know how to do it with ipchains.
--> > > 
--> > > On a redhat linux system using /etc/sysconfig/iptables, 
--> what line(s) do
--> > > I add to /etc/sysconfig/iptables to configure to 
--> redirect all inbound
--> > > port 80 traffic to port 8080 on the same host?
--> > > 
--> > > Thank  you -
--> > > 
--> > > Regards,
--> > >  
--> > > Michael Martinez
--> > > ISTM/CSREES
--> > > United States Department of Agriculture
--> > > ---
--> > > This email is signed with my digital signature so that 
--> you may verify
--> > > the authenticity of the sender.
--> -- 
--> Alexis <alexis@attla.net.ar>
--> 
--> 

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 3733 bytes --]

Re: Instructions on how to redirect port 80 to port 8080

[Alexis]

sorry, my mistake this line is wrong 

change mangle for nat

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to
x.x.x.x:8080



On Tue, 2004-02-17 at 16:04, Alexis wrote:
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j DNAT --to
> x.x.x.x:8080
> 
> could be a start :)
> 
> 
> 
> On Tue, 2004-02-17 at 15:55, Martinez, Michael wrote:
> > Guys - 
> > 
> > I'm finding a lack of documentation describing how to do this. It ought
> > to be simple. I know how to do it with ipchains.
> > 
> > On a redhat linux system using /etc/sysconfig/iptables, what line(s) do
> > I add to /etc/sysconfig/iptables to configure to redirect all inbound
> > port 80 traffic to port 8080 on the same host?
> > 
> > Thank  you -
> > 
> > Regards,
> >  
> > Michael Martinez
> > ISTM/CSREES
> > United States Department of Agriculture
> > ---
> > This email is signed with my digital signature so that you may verify
> > the authenticity of the sender.
-- 
Alexis <alexis@attla.net.ar>

Re: Instructions on how to redirect port 80 to port 8080

[Alexis]

iptables -t mangle -A PREROUTING -p tcp --dport 80 -j DNAT --to
x.x.x.x:8080

could be a start :)



On Tue, 2004-02-17 at 15:55, Martinez, Michael wrote:
> Guys - 
> 
> I'm finding a lack of documentation describing how to do this. It ought
> to be simple. I know how to do it with ipchains.
> 
> On a redhat linux system using /etc/sysconfig/iptables, what line(s) do
> I add to /etc/sysconfig/iptables to configure to redirect all inbound
> port 80 traffic to port 8080 on the same host?
> 
> Thank  you -
> 
> Regards,
>  
> Michael Martinez
> ISTM/CSREES
> United States Department of Agriculture
> ---
> This email is signed with my digital signature so that you may verify
> the authenticity of the sender.
-- 
Alexis <alexis@attla.net.ar>

Instructions on how to redirect port 80 to port 8080

[Martinez, Michael]

[-- Attachment #1: Type: text/plain, Size: 521 bytes --]

Guys - 

I'm finding a lack of documentation describing how to do this. It ought
to be simple. I know how to do it with ipchains.

On a redhat linux system using /etc/sysconfig/iptables, what line(s) do
I add to /etc/sysconfig/iptables to configure to redirect all inbound
port 80 traffic to port 8080 on the same host?

Thank  you -

Regards,
 
Michael Martinez
ISTM/CSREES
United States Department of Agriculture
---
This email is signed with my digital signature so that you may verify
the authenticity of the sender.

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 3733 bytes --]