You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2016/12/04 20:30:03 UTC
[OT] Using iptables to remap port 443 -> 8443 for localhost
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
I'm aware of various techniques to allow Tomcat to serve from port 80
without using root, but I've never actually tried using them before.
I'm trying to use iptables on a bare-metal Linux server running kernel
3.2 and I'm having no luck.
I've already got iptables doing other things for me, but adding this
should not be interfering.
Here's what I've done (following [1]):
$ sudo /sbin/iptables -I FORWARD -p tcp \
--destination-port 443 -j ACCEPT
$ sudo /sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp \
--destination-port 443 --to-ports 8443
So here are my tables, now:
$ sudo iptables-save | grep "\(FORWARD\|PREROUTING\)"
:PREROUTING ACCEPT [10:1392]
- -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
:FORWARD ACCEPT [0:0]
- -A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT
- -A FORWARD -j LOG
$ telnet localhost 8443
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
^C
Connection closed by foreign host.
(connects)
cschultz@europa:~$ telnet localhost 443
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
(fails)
Oddly enough, both ports 8443 and 443 are accessible from the outside:
elsewhere$ telnet myhost 8443
Trying 204.9.143.102...
Connected to europa.chadis.com.
Escape character is '^]'.
^CConnection closed by foreign host.
elsewhere$ telnet myhost 443
Trying 204.9.143.102...
Connected to europa.chadis.com.
Escape character is '^]'.
^CConnection closed by foreign host.
Do I need to do something different in order to allow "localhost"
connections to be PREROUTED?
Thanks,
- -chris
[1]
https://wiki.apache.org/tomcat/HowTo#How_to_run_Tomcat_without_root_priv
ileges.3F
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJYRHzLAAoJEBzwKT+lPKRYOfEP/At/1Wc598mYz5jJ3qOQrMIP
+YZD0pIEy9s2LHwIWCnxRExHCaaQUvPH6ARWI3IdpYSfdSJO0vAzi0szXcZLxA3Y
v68sd1ZbBiF/ik8jDS4wshtSqOiw3JNSQZTfwNP118OKEzC3g4ip8wf3ieEyhC+2
w2r4Xz43aJ6eDJWiSgG+AFzUBKK8HWF8JhYIGQNdNYGa2Ri54oWEAlrqqTq0GpfL
dUuSGWEk6UqdC7EBR8qQeEjhehVhYnhP5Zje0eOlfdxmMsjSYYG7aPvPeLYL7GlW
IPcVe9qc/FmY8fYqydJNU/gLIeGb9tdambJe0nLPs2Xg5qBSeZ8Hcz6n/7us3g1Z
nOsX2PQwlwXBjuh6xlBRkxHUq/P739nkBjf6jQdpX0ffQksmMtMUcO+DYTRsB8zF
M4hmGUSfjYbskfDCf9iNLHc/qjaoy+oO8h/AbFc0GC6eqZICPr61zXbbItOtRRzz
m2eMituyGtLnVxoC3Kr7axneXKeneiJPS4xabwm4UF1RjAZznOMyT16/i2d/r40g
XbOal8PFFg8m9esk3J0RqWoZw29uoC7DnwqTkR2PNIPxRZOdNQUrddxbHwAE3Jmi
HBADi9Z0+znZI/Prq9kp3rkAHyuksrpw/j1XzV/L0kJiI6t79nXLdOwjLWD3IMVo
mSMjvWlRH05HsSrzBgkT
=yi01
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [OT] Using iptables to remap port 443 -> 8443 for localhost
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
On 12/4/16 3:30 PM, Christopher Schultz wrote:
> All,
>
> I'm aware of various techniques to allow Tomcat to serve from port
> 80 without using root, but I've never actually tried using them
> before.
>
> I'm trying to use iptables on a bare-metal Linux server running
> kernel 3.2 and I'm having no luck.
>
> I've already got iptables doing other things for me, but adding
> this should not be interfering.
>
> Here's what I've done (following [1]):
>
>
> $ sudo /sbin/iptables -I FORWARD -p tcp \ --destination-port 443 -j
> ACCEPT $ sudo /sbin/iptables -t nat -A PREROUTING -j REDIRECT -p
> tcp \ --destination-port 443 --to-ports 8443
>
> So here are my tables, now:
>
> $ sudo iptables-save | grep "\(FORWARD\|PREROUTING\)" :PREROUTING
> ACCEPT [10:1392] -A PREROUTING -p tcp -m tcp --dport 443 -j
> REDIRECT --to-ports 8443 :FORWARD ACCEPT [0:0] -A FORWARD -p tcp -m
> tcp --dport 443 -j ACCEPT -A FORWARD -j LOG
>
> $ telnet localhost 8443 Trying 127.0.0.1... Connected to
> localhost. Escape character is '^]'. ^C Connection closed by
> foreign host.
>
> (connects)
>
> cschultz@europa:~$ telnet localhost 443 Trying 127.0.0.1... telnet:
> Unable to connect to remote host: Connection refused
>
> (fails)
>
> Oddly enough, both ports 8443 and 443 are accessible from the
> outside:
>
> elsewhere$ telnet myhost 8443 Trying 204.9.143.102... Connected to
> europa.chadis.com. Escape character is '^]'. ^CConnection closed by
> foreign host.
>
> elsewhere$ telnet myhost 443 Trying 204.9.143.102... Connected to
> europa.chadis.com. Escape character is '^]'. ^CConnection closed by
> foreign host.
>
> Do I need to do something different in order to allow "localhost"
> connections to be PREROUTED?
>
> Thanks, -chris
Looks like PREROUTING is ignored for localhost connections... OUTPUT
must be used instead:
$ sudo iptables -t nat -I OUTPUT -p tcp -o lo \
--dport 443 -j REDIRECT --to-ports 8443
I'm going to add this to the wiki, just in case anyone else is puzzled
as to why localhost doesn't work given the existing instructions.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJYRH3AAAoJEBzwKT+lPKRYXkwP/RJ4KUBrRgzphrBg/IZfpbFQ
qkS59nAM7BZB6RyjSl3bbxAOIUGZ6+Yar0sKJcWTzx6DdSKYK4tedEz4zc7NWK+o
z5UK9k6FU+c7Qi+4ibbT3XoViwCc9m4c+8fuwbhinkEt84dbMN8CZp7+WZmzym66
RsIKU9pWjCifLSA0bXg6wPrPmIJ4yIrP3p41Y/UIeFxPfXSdXpjl7C/G7QOhrMIi
op1Db9h0lUn6HG/zQSeDZ9fWlWrXjdk2Q8nsESLWGYR3ihz1Aso8eQ9tJnJia1dJ
Ph+6l9u5Y5/LePMwCOJOGvL5SYhz2wsDaBSItLu7mONqMJLNXGydlm5WxE5KR4xr
FsUqFrQysctmhc6VuprYhPXvmic9hcxCW1B0Eu4+1nuOLziO7xJKn4haRoRldzg7
7T7FqcP8WVxSBJeLS/SC6NAayBSDYoehE/Qn9qgzmEQFgohtxONu661b2LqoWdxJ
7G1K3ili0txg2ew3drj1JCZjPIClRmxpYbs5SC3W6Jrye5dJRGqIL9fAG53s44rM
uXQxcsv48XXqpX06P7Oq47K8Z2zAotEQl8zufoDEEWxCHCzvZ+FbAWacTOE8OT/K
uhGfmJkTu4IH2H7EdwsnfkTPGNw02qmoti8Yt/t5bpV6/idL4MwnSqWQMGzI2+af
ZPC+N6ekZ5ry8JsdorhZ
=ARK1
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org