Need help with IPTables

[stephen_meyer]

Hi - I need some help configuring IPTables!
I have a JPS webapp running on tomcat 6 on debian. I am using iptables to reroute all 8080 tomcat requests to port 80.
The problem I am having is that my application cannot access an external xml file on another server. However, when i turn iptables off the application can access the xml file without any problems.
The file i need to access is on 66.135.41.143.

I have added a rule for the IP address to iptables via webmin but I still am not able to access the URL.


I have 2 iptable config files:

/etc/iptables.conf :

Code:

# Generated by iptables-save v1.4.2 on Wed Nov 18 16:36:16 2009
*nat
:PREROUTING ACCEPT [1:52]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
COMMIT
# Completed on Wed Nov 18 16:36:16 2009
# Generated by iptables-save v1.4.2 on Wed Nov 18 16:36:16 2009
*filter
:INPUT ACCEPT [189085:265879017]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [102841:7698587]
COMMIT
# Completed on Wed Nov 18 16:36:16 2009

AND

/etc/iptables.up.rules :

Code:

# Generated by iptables-save v1.4.2 on Tue Dec  1 11:02:55 2009
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A OUTPUT -d 66.135.41.143 -j ACCEPT
-A INPUT -s 66.135.41.143 -j ACCEPT
COMMIT
# Completed on Tue Dec  1 11:02:55 2009
# Generated by iptables-save v1.4.2 on Tue Dec  1 11:02:55 2009
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 66.135.41.143 -j ACCEPT
-A FORWARD -d 66.135.41.143 -j ACCEPT
-A OUTPUT -d 66.135.41.143 -j ACCEPT
COMMIT
# Completed on Tue Dec  1 11:02:55 2009
# Generated by iptables-save v1.4.2 on Tue Dec  1 11:02:55 2009
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -d 66.135.41.143 -j ACCEPT
-A OUTPUT -d 66.135.41.143 -j ACCEPT
-A PREROUTING -s 66.135.41.143 -j ACCEPT
-A OUTPUT -s 66.135.41.143 -j ACCEPT
COMMIT
# Completed on Tue Dec  1 11:02:55 2009

Thanks,
Stephen.

[stephen_meyer]

I have done some more testing and I have found that I cannot wget any files to this server either.
I have even tested my webapp from other servers and it works perfectly.

So this is definitely a problem on my linux server and Im guessing its a problem with iptables.

Any ideas guys?

[Lazydog]

Hello, Why are you using this line in your rules:

Code:

-A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080

This is your problem.

Here is a TUTORIAL for some light reading on IPTABLES Setup.

[stephen_meyer]

Thanks for the reply Lazydog.

The reason i added those rules into the configs is so that I can run my jsp webapps on port 80 instead of port 8080 (on tomcat). My clients have strict firewall rules so I have to have this in there.

Is there a way I could add a single priority rule to allow requests to this IP - 66.135.41.143 ? Or do you have any other genius ideas

[stephen_meyer]

Here is a TUTORIAL for some light reading on IPTABLES Setup.

It seems my linux/networking knowledge is rather limited after having a look at this light reading.

[Lazydog]

It seems my linux/networking knowledge is rather limited after having a look at this light reading.

Light reading I know it is not. For people that want to learn how it works and program/setup a firewall this is a great tutorial.

The reason why I stated that this line was your problem is because it is changing all port 80 traffic leaving your system to 8080. Not just your Tomcat. You need to fine tune the firewall now. You need to add the ip address of the Tomcat server to the rule so that only that traffic is changed to 8080 and not everything as you have now.

For example;

Code:

-A OUTPUT -p tcp -m tcp -d <Tomcat IP> --dport 80 -j DNAT --to-destination <Tomcat IP>:8080

Replacing the <Tomcat IP> with the ip address of that system. Then only traffic heading to that system is converted to 8080 and everything else stays at port 80 and you should be able to connect to external servers then.

There are a lot more fine tuning you could do, like STATEFUL or CONNECTION Tracking rules which look at the state of the packet arriving.