Find the answer to your Linux question:
Results 1 to 6 of 6
Hi - I need some help configuring IPTables! I have a JPS webapp running on tomcat 6 on debian. I am using iptables to reroute all 8080 tomcat requests to ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Dec 2009
    Posts
    6

    Need help with IPTables


    Hi - I need some help configuring IPTables!
    I have a JPS webapp running on tomcat 6 on debian. I am using iptables to reroute all 8080 tomcat requests to port 80.
    The problem I am having is that my application cannot access an external xml file on another server. However, when i turn iptables off the application can access the xml file without any problems.
    The file i need to access is on 66.135.41.143.

    I have added a rule for the IP address to iptables via webmin but I still am not able to access the URL.


    I have 2 iptable config files:

    /etc/iptables.conf :

    Code:
    # Generated by iptables-save v1.4.2 on Wed Nov 18 16:36:16 2009
    *nat
    :PREROUTING ACCEPT [1:52]
    :POSTROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
    -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
    COMMIT
    # Completed on Wed Nov 18 16:36:16 2009
    # Generated by iptables-save v1.4.2 on Wed Nov 18 16:36:16 2009
    *filter
    :INPUT ACCEPT [189085:265879017]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [102841:7698587]
    COMMIT
    # Completed on Wed Nov 18 16:36:16 2009
    AND

    /etc/iptables.up.rules :

    Code:
    # Generated by iptables-save v1.4.2 on Tue Dec  1 11:02:55 2009
    *mangle
    :FORWARD ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :PREROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    -A OUTPUT -d 66.135.41.143 -j ACCEPT
    -A INPUT -s 66.135.41.143 -j ACCEPT
    COMMIT
    # Completed on Tue Dec  1 11:02:55 2009
    # Generated by iptables-save v1.4.2 on Tue Dec  1 11:02:55 2009
    *filter
    :FORWARD ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -s 66.135.41.143 -j ACCEPT
    -A FORWARD -d 66.135.41.143 -j ACCEPT
    -A OUTPUT -d 66.135.41.143 -j ACCEPT
    COMMIT
    # Completed on Tue Dec  1 11:02:55 2009
    # Generated by iptables-save v1.4.2 on Tue Dec  1 11:02:55 2009
    *nat
    :PREROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
    -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
    -A PREROUTING -d 66.135.41.143 -j ACCEPT
    -A OUTPUT -d 66.135.41.143 -j ACCEPT
    -A PREROUTING -s 66.135.41.143 -j ACCEPT
    -A OUTPUT -s 66.135.41.143 -j ACCEPT
    COMMIT
    # Completed on Tue Dec  1 11:02:55 2009

    Thanks,
    Stephen.

  2. #2
    Just Joined!
    Join Date
    Dec 2009
    Posts
    6
    I have done some more testing and I have found that I cannot wget any files to this server either.
    I have even tested my webapp from other servers and it works perfectly.

    So this is definitely a problem on my linux server and Im guessing its a problem with iptables.

    Any ideas guys?

  3. #3
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Hello, Why are you using this line in your rules:

    Code:
    -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
    This is your problem.

    Here is a TUTORIAL for some light reading on IPTABLES Setup.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  4. #4
    Just Joined!
    Join Date
    Dec 2009
    Posts
    6
    Thanks for the reply Lazydog.

    The reason i added those rules into the configs is so that I can run my jsp webapps on port 80 instead of port 8080 (on tomcat). My clients have strict firewall rules so I have to have this in there.

    Is there a way I could add a single priority rule to allow requests to this IP - 66.135.41.143 ? Or do you have any other genius ideas

  5. #5
    Just Joined!
    Join Date
    Dec 2009
    Posts
    6
    Quote Originally Posted by Lazydog View Post
    Here is a TUTORIAL for some light reading on IPTABLES Setup.
    It seems my linux/networking knowledge is rather limited after having a look at this light reading.

  6. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Quote Originally Posted by stephen_meyer View Post
    It seems my linux/networking knowledge is rather limited after having a look at this light reading.
    Light reading I know it is not. For people that want to learn how it works and program/setup a firewall this is a great tutorial.

    The reason why I stated that this line was your problem is because it is changing all port 80 traffic leaving your system to 8080. Not just your Tomcat. You need to fine tune the firewall now. You need to add the ip address of the Tomcat server to the rule so that only that traffic is changed to 8080 and not everything as you have now.

    For example;

    Code:
    -A OUTPUT -p tcp -m tcp -d <Tomcat IP> --dport 80 -j DNAT --to-destination <Tomcat IP>:8080
    Replacing the <Tomcat IP> with the ip address of that system. Then only traffic heading to that system is converted to 8080 and everything else stays at port 80 and you should be able to connect to external servers then.

    There are a lot more fine tuning you could do, like STATEFUL or CONNECTION Tracking rules which look at the state of the packet arriving.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •