FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 10-05-2012, 08:37 AM
Tim
 
Default iptables fubared?

On Thu, 2012-10-04 at 12:45 -0700, Mark Space wrote:
> I'm not sure where I could have fubared this. I did try to redirect
> the ports from 80 to 8080, perhaps that was done incorrectly?

You've tested that you can browse to localhost on port 80, but have you
also tested that web server is listening to port 8080, by browsing to
that port on the same machine (or over ssh)?

Why are you redirecting, though? If there's a block on port 80, then
your attempt to get in on port 80 and redirect to port 8080 isn't going
work. Which way are you *trying* to redirect?

Last time I played with redirection (long ago), I did it to the input
and/or NAT rules, not the output rules. Redirecting incoming
connections on a port that would be allowed, to the port that was
listening.


## Redirect webserver visitors past my ISP's firewalling (blocking port 80):
## incoming port 8000 connections sent to the port 80 listening server

iptables --table nat --append PREROUTING --protocol tcp --dport 8000 --jump REDIRECT --to-port 80


But, it can be easier to just have the server listen to the port that's
not blocked, and not do any redirection.

--
[tim@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 10-05-2012, 04:17 PM
Mark Space
 
Default iptables fubared?

On 10/5/2012 1:00 AM, Bill Shirley
wrote:




Maybe I didn't understand correctly.* You're wanting to redirect
traffic received on eth0 port 80 to port 8080.* Is this correct?

"iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j*
REDIRECT --to-ports 8080"



If so, then you wouldn't expect to see any traffic on eth0 port
8080 (neither coming or going), right?






I guess.* Is that the way iptables works?* I would have guessed that
if you redirect, you'd see traffic on the output chain and therefore
that "port."* But it seems it isn't.* It looks like tcpdump hooks
into the raw input/output, before iptables handles it.* In that case
it would make sense what you say.



Anyway, problem got solved.* Someone with very good knowledge of TCP
and unix pointed out:



1.* I need to make sure port forwarding is enabled (it wasn't): sudo
sysctl -w net.ipv4.ip_forward=1



2. I *am* getting a response from the server.* If you look closely
at the tcpdump output, the server is responding.* It's sending
resets back the the external workstation.* That means it's telling
the workstation that it saw the request, but there's no one
listening.



3. Close inspection with netstat on the server revealed I was
listening on the right port, but the wrong network.* JBoss comes
configured by default to listen on the loopback interface.* I had
neglected to edit the config to tell it to listen on 0.0.0.0/0.*
Grrrr.* That's distinct from the port, which is in a different part
of the config file.* Grrr grrr.





I really hate system administration.



Thanks for your help btw, and thanks to everyone else who tried to
help.* It was useful to at least have avenues to pursue.











Bill





On 10/4/2012 9:36 PM, Mark Space
wrote:




I don't understand this comment:



"If you get traffic on port 8080 then you have an iptables
problem."



Wouldn't it be the opposite?* If I DON'T have traffic on port
8080, I have problems with iptables.* But maybe I
misunderstand how iptables or tcpdump work.







On 10/4/2012 4:52 PM, Bill Shirley wrote:




Check your listen statement in* /etc/httpd/conf/httpd.conf.*
It should be:

Listen 8080



If that is correct, run tcpdump (ctrl+c to quit) and then try
externally connecting :

tcpdump -n -i eth0 port 80 or port 8080



If you get traffic on port 8080 then you have an iptables
problem.



Bill





On 10/4/2012 3:45 PM, Mark Space
wrote:




Hi all, I'm having a bit of trouble setting up a new web
server. The last time I set up up it went smoothly, but for
some reason I can't connect to the HTTP port on this one.



Any clues what I'm missing?



I can:



1. SSH into my server from an external workstation.

2. Ping my server by DNS name from an external workstation.

3. I can load the default web page when I'm SSH'd in, this
works fine:

$ wget localhost
--2012-10-04 17:44:35-- http://localhost/
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2432 (2.4K) [text/html]
Saving to: ‚index.html.1‚
*
100%[======================================>] 2,432 --.-K/s in 0s
*
2012-10-04 17:44:35 (183 MB/s) - ‚index.html.1‚



However, I cannot connect via HTTP externally, even using
the* IP address:



4. Unable to connect Firefox can't establish a connection to
the server at 54.243.205.88.



I'm not sure where I could have fubared this. I did try to
redirect the ports from 80 to 8080, perhaps that was done
incorrectly?



[ec2-user@domU-12-31-39-0A-A0-29 ~]$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
*
Chain FORWARD (policy ACCEPT)
target prot opt source destination
*
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[ec2-user@domU-12-31-39-0A-A0-29 ~]$ sudo iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 21 packets, 1608 bytes)
pkts bytes target prot opt in out source destination
150 7600 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
*
Chain INPUT (policy ACCEPT 171 packets, 9208 bytes)
pkts bytes target prot opt in out source destination
*
Chain OUTPUT (policy ACCEPT 45 packets, 3625 bytes)
pkts bytes target prot opt in out source destination
2 120 REDIRECT tcp -- * * 0.0.0.0/0 127.0.0.1 tcp dpt:80 redir ports 8080
0 0 REDIRECT tcp -- * * 0.0.0.0/0 10.211.163.215 tcp dpt:80 redir ports 8080
*
Chain POSTROUTING (policy ACCEPT 47 packets, 3745 bytes)
pkts bytes target prot opt in out source destination





I thought this should be exactly the same as the last time I
did it, so I don't know why it wouldn't work.

Here's the script I used to set up the iptables:



iptables -t nat -A OUTPUT -d localhost -p tcp --dport 80 -j
REDIRECT* --to-ports 8080

iptables -t nat -A OUTPUT -d 10.211.163.215 -p tcp --dport
80 -j REDIRECT* --to-ports 8080

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j*
REDIRECT --to-ports 8080

/etc/init.d/iptables save

/etc/init.d/iptables restart





I'm completely at a loss how to troubleshoot this further,
any advice is much appreciated.







































--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 10-05-2012, 04:29 PM
Mark Space
 
Default iptables fubared?

On 10/5/2012 1:37 AM, Tim wrote:



On Thu, 2012-10-04 at 12:45 -0700, Mark Space wrote:


I'm not sure where I could have fubared this. I did try to redirect
the ports from 80 to 8080, perhaps that was done incorrectly?



You've tested that you can browse to localhost on port 80, but have you
also tested that web server is listening to port 8080, by browsing to
that port on the same machine (or over ssh)?



Yes, I tested that as well.* See below.






Why are you redirecting, though? If there's a block on port 80, then
your attempt to get in on port 80 and redirect to port 8080 isn't going
work. Which way are you *trying* to redirect?





Just that I understand it's good practice to never run apps as
root.* If I listen on port 8080 instead of 80, I never have to run
the server as root.* Port 80 is completely unblocked, I have full
control over it.* That's why I'm redirecting from port 80--it
wouldn't make much sense to do so if that port was blocked.








Last time I played with redirection (long ago), I did it to the input
and/or NAT rules, not the output rules.





I do have a nat rule in that list.* The other two rules I think are
to: 1. redirect output from the server itself on the loopback, and
2. redirect output from the server itself on the external ip/nic.*
In other words, if you try to connect internally, like I did from
the command line with wget, it won't work unless you have those
redirects.* I got the rules from the 'net;* I guess someone was just
being thorough.



Anyway, problem got solved.* I'll post a copy of this here (I
already sent this reply to one of Bill's emails), as sometimes it
seems emails on this list get lost or ignored.* The solution is good
enough that some other folks might want to see it.* Someone with
very good knowledge of TCP and unix pointed out:



1.* I need to make sure port forwarding is enabled (it wasn't): sudo
sysctl -w net.ipv4.ip_forward=1



2. I *am* getting a response from the server.* If you look closely
at the tcpdump output, the server is responding.* It's sending
resets back the the external workstation.* That means it's telling
the workstation that it saw the request, but there's no one
listening.



3. Close inspection with netstat on the server revealed I was
listening on the right port, but the wrong network.* JBoss comes
configured by default to listen on the loopback interface.* I had
neglected to edit the config to tell it to listen on 0.0.0.0/0.*
Grrrr.* That's distinct from the port, which is in a different part
of the config file.* Grrr grrr.





I really hate system administration.



Thanks for your help btw, and thanks to everyone else who tried to
help.* It was useful to at least have avenues to pursue.



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 10-05-2012, 06:00 PM
Tim
 
Default iptables fubared?

Tim:
>> Why are you redirecting, though? If there's a block on port 80, then
>> your attempt to get in on port 80 and redirect to port 8080 isn't
>> going work. Which way are you *trying* to redirect?
>
Mark Space
> Just that I understand it's good practice to never run apps as root.
> If I listen on port 8080 instead of 80, I never have to run the server
> as root.

Redirecting the port isn't going to change who's running the service,
that's configured elsewhere. And, for what it's worth, Apache doesn't
run as root, it runs as Apache.

--
[tim@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 10-05-2012, 06:50 PM
Patrick Kobly
 
Default iptables fubared?

He's running JBoss... Java apps won't drop privs. Non-root can't bind to 80, so he gets JBoss to bind to 8080 then redirects.

PK

On 2012-10-05, at 12:01 PM, "Tim" <ignored_mailbox@yahoo.com.au> wrote:

> Tim:
>>> Why are you redirecting, though? If there's a block on port 80, then
>>> your attempt to get in on port 80 and redirect to port 8080 isn't
>>> going work. Which way are you *trying* to redirect?
>>
> Mark Space
>> Just that I understand it's good practice to never run apps as root.
>> If I listen on port 8080 instead of 80, I never have to run the server
>> as root.
>
> Redirecting the port isn't going to change who's running the service,
> that's configured elsewhere. And, for what it's worth, Apache doesn't
> run as root, it runs as Apache.
>
> --
> [tim@localhost ~]$ uname -r
> 2.6.27.25-78.2.56.fc9.i686
>
> Don't send private replies to my address, the mailbox is ignored. I
> read messages from the public lists.
>
>
>
> --
> users mailing list
> users@lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> Have a question? Ask away: http://ask.fedoraproject.org

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 10-05-2012, 07:22 PM
Bruno Wolff III
 
Default iptables fubared?

On Fri, Oct 05, 2012 at 12:50:30 -0600,
Patrick Kobly <patrick@kobly.com> wrote:

He's running JBoss... Java apps won't drop privs. Non-root can't bind to 80, so he gets JBoss to bind to 8080 then redirects.


Yuck. There are other ways to do that. I think the systemd route is probably
the way to do it in current Fedora:

http://www.freedesktop.org/software/systemd/man/systemd.socket.html

But inetd or tcp-server (and probably other things) could also be used.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 10-05-2012, 07:49 PM
Patrick Kobly
 
Default iptables fubared?

Unfortunately, neither of those being platform-independent, it's somewhat unlikely that this will be supported under Java...

PK

-----Original message-----
From: Bruno Wolff III <bruno@wolff.to>
Sent: Fri 05-10-2012 13:22
Subject: Re: iptables fubared?
To: Patrick Kobly <patrick@kobly.com>;
CC: "Community support for Fedora users" <users@lists.fedoraproject.org>;
> On Fri, Oct 05, 2012 at 12:50:30 -0600,
> Patrick Kobly <patrick@kobly.com> wrote:
> >He's running JBoss... Java apps won't drop privs. Non-root can't bind to 80,
> so he gets JBoss to bind to 8080 then redirects.
>
> Yuck. There are other ways to do that. I think the systemd route is probably
> the way to do it in current Fedora:
> http://www.freedesktop.org/software/systemd/man/systemd.socket.html
>
> But inetd or tcp-server (and probably other things) could also be used.
>
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 10-06-2012, 12:25 AM
Mark Space
 
Default iptables fubared?

Huh, weirdly I didn't see any of these messages until the last one. Is
the list fubared? Or maybe someone replied privately by mistake?



On 10/5/2012 12:49 PM, Patrick Kobly wrote:

Unfortunately, neither of those being platform-independent, it's somewhat unlikely that this will be supported under Java...

PK

-----Original message-----
From: Bruno Wolff III <bruno@wolff.to>
Sent: Fri 05-10-2012 13:22
Subject: Re: iptables fubared?
To: Patrick Kobly <patrick@kobly.com>;
CC: "Community support for Fedora users" <users@lists.fedoraproject.org>;

On Fri, Oct 05, 2012 at 12:50:30 -0600,
Patrick Kobly <patrick@kobly.com> wrote:

He's running JBoss... Java apps won't drop privs. Non-root can't bind to 80,

so he gets JBoss to bind to 8080 then redirects.

Yuck. There are other ways to do that. I think the systemd route is probably
the way to do it in current Fedora:
http://www.freedesktop.org/software/systemd/man/systemd.socket.html

But inetd or tcp-server (and probably other things) could also be used.



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 10-06-2012, 05:24 AM
Tim
 
Default iptables fubared?

On Fri, 2012-10-05 at 17:25 -0700, Mark Space wrote:
> I didn't see any of these messages until the last one. Is
> the list fubared?

Messages aren't always delivered in order, especially if they end up
travelling through different routes. Because of that, some of them can
get seriously delayed. Especially when they pass through services which
apply very low priorities, or a lot of spam checking, to list mail.

--
[tim@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 10-07-2012, 05:04 PM
"Eddie G. O'Connor Jr."
 
Default iptables fubared?

You HATE administration?......Wow!....I HATE help-desk.....I would LOVE
to be in administration....where you don't have users screaming at you
because they're too "dense" to figure out MS Office 2010!....LoL! I
would give anything to sit in some cubicle...or office....with nothing
but me and some servers to keep me company!......Count your blessings
Sir!....LoL! It could be WORSE.....you could be saying something like
"Welcome to McDonald's may I take your order?" every morning! (And this
is in no way intended to insult people who work at McDonald's....it's
strictly used to make a point!...I happen to have worked at Mickey D's
myself for about a year back when things weren't looking too good for me
financially!)



Cheers!




EGO II





--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 

Thread Tools




All times are GMT. The time now is 07:52 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org