[lug] iptables redirection

George Sexton gsexton at mhsoftware.com
Sun Jan 7 11:11:17 MST 2007 


David L. Anselmi wrote:
> George Sexton wrote:
> [...]
>> So, any request that comes in for port 80 gets redirected to Tomcat 
>> on port 80. I run tomcat as a non-privileged user, so it won't bind 
>> to port 80?
>
> How much does that get you?  Supposing that a hack on tomcat would 
> lose all your application data and require a restore from backup, is 
> it really that much harder to restore everything?  Does the server run 
> tomcat as one user and another public service as another user such 
> that recovering one is much easier than recovering both?
This is a good point. I guess in my mind, it would be easier to subvert 
the operation, and lay low to use the machine if tomcat were running as 
root.
>
> Your approach may well be worth it but people tend to follow "best 
> practice" without understanding what it really buys them.  So when 
> their practice starts to cost they look for workarounds without 
> reconsidering the practice.
I'd really like to hear you make this argument about the whole <1024 
being privileged on the Linux Kernel list. The days of being able to 
trust something just because it came from a low port are LONG gone. The 
ONLY benefit of requiring root for ports less than 1024 is handling one 
small scenario: A bad-guy can kill your app and start his own service 
running on the port. If you looked at the TONS of security breaches that 
have happened because of the 1024/root issue they vastly outweigh it.

>> This is working really well. The  fly in the ointment is that if I 
>> run some code:
>>
>> wget http://hostname.mhsoftware.com/SomeFile.html
>>
>> it doesn't work. Apparently, the way the request gets routed through 
>> the TCP/IP stack, my rule never gets hit. It appears to resolve that 
>> it's a local address, and submit the request through the LO interface.
>
> If you fix hostname.mhsoftware.com to resolve to the correct IP for 
> the correct interface it will go there instead of lo.  For example, I 
> can adjust my hosts file to go to lo, eth0, or the external interface 
> of my router (that NATs back to eth0).
>
> Perhaps if you resolve to eth0 on the box with the rules the traffic 
> won't hit the NAT table (it may hit the OUTGOING chain and then 
> INCOMMING immediately, you'd have to try it or look at the docs).
This is the problem. It's bypassing the NAT chain.

-- 
George Sexton
MH Software, Inc.
Voice: +1 303 438 9585
URL:   http://www.mhsoftware.com/

More information about the LUG mailing list