[lug] iptables redirection
Hugh Brown
hugh at math.byu.edu
Sat Jan 6 18:59:18 MST 2007
George Sexton wrote:
> I'm having some problems with IPTABLES and thought maybe someone would
> have some insight.
>
> I'm running Apache Tomcat on a high port (say 8080). I have rules:
>
> iptables -t nat -A PREROUTING -p tcp -i $WAN_IF --dport 80 -j REDIRECT
> --to-port 8080
> iptables -t nat -A PREROUTING -p tcp -i lo --dport 80 -j REDIRECT
> --to-port 8080
>
> So, any request that comes in for port 80 gets redirected to Tomcat on
> port 80. I run tomcat as a non-privileged user, so it won't bind to port
> 80?
>
> This is working really well. The fly in the ointment is that if I run
> some code:
>
> wget http://hostname.mhsoftware.com/SomeFile.html
>
> it doesn't work. Apparently, the way the request gets routed through the
> TCP/IP stack, my rule never gets hit. It appears to resolve that it's a
> local address, and submit the request through the LO interface. Changing
> the code to transparently use the actual real port number would be
> really unpleasant and my last choice.
>
> Does anyone know of a way around this?
>
> Alternatively, does anyone understand capabilities enough that I could
> just get Tomcat to run directly on port 80?
>
> Please don't suggest Apache/mod_jk. I'm running over two hundred virtual
> hosts per machine, and the overhead of configuration would just be
> ridiculous.
>
I thought that with tomcat 5 there was a jsvc wrapper that would allow
you to bind on port 80 and then drop privileges (this is vague memories
off reading some brief documentation).
Would the overhead of Apache/mod_jk be less than changing the code?
With tomcat 4, I believe apache/mod_jk is the approach people use for
allowing tomcat to run unprivileged while still retaining the benefit of
running on privileged ports.
Hugh
More information about the LUG
mailing list