[lug] iptables redirection
David L. Anselmi
anselmi at anselmi.us
Sat Jan 6 21:25:02 MST 2007
George Sexton wrote:
[...]
> So, any request that comes in for port 80 gets redirected to Tomcat on
> port 80. I run tomcat as a non-privileged user, so it won't bind to port
> 80?
How much does that get you? Supposing that a hack on tomcat would lose
all your application data and require a restore from backup, is it
really that much harder to restore everything? Does the server run
tomcat as one user and another public service as another user such that
recovering one is much easier than recovering both?
Your approach may well be worth it but people tend to follow "best
practice" without understanding what it really buys them. So when their
practice starts to cost they look for workarounds without reconsidering
the practice.
Not suggesting you're like other people, just curious about your risk
analysis.
> This is working really well. The fly in the ointment is that if I run
> some code:
>
> wget http://hostname.mhsoftware.com/SomeFile.html
>
> it doesn't work. Apparently, the way the request gets routed through the
> TCP/IP stack, my rule never gets hit. It appears to resolve that it's a
> local address, and submit the request through the LO interface.
If you fix hostname.mhsoftware.com to resolve to the correct IP for the
correct interface it will go there instead of lo. For example, I can
adjust my hosts file to go to lo, eth0, or the external interface of my
router (that NATs back to eth0).
Perhaps if you resolve to eth0 on the box with the rules the traffic
won't hit the NAT table (it may hit the OUTGOING chain and then
INCOMMING immediately, you'd have to try it or look at the docs).
Dave
More information about the LUG
mailing list