Can iptables redirect traffic to localhost?
November 21, 2010 1:48 PM Subscribe
How can I make iptables redirect a tcp port to a server listening only to localhost (127.0.0.1)?
I'm using Centos 5.5 and I have a server that is ONLY listening to localhost (port 7777). I want to have iptables take all traffic bound to port 80 (on eth0) and redirect it to localhost port 7777.
I've seen a ton of example that show how to do this for Tomcat (which listens on port 8080 normally) but in those examples Tomcat is listening on eth0, not 'lo'. None of those examples seem to work specifically for my situation.
Has anyone out there got something like this to work?
thanks!
I'm using Centos 5.5 and I have a server that is ONLY listening to localhost (port 7777). I want to have iptables take all traffic bound to port 80 (on eth0) and redirect it to localhost port 7777.
I've seen a ton of example that show how to do this for Tomcat (which listens on port 8080 normally) but in those examples Tomcat is listening on eth0, not 'lo'. None of those examples seem to work specifically for my situation.
Has anyone out there got something like this to work?
thanks!
Response by poster: theNeutral: To be clear, this is iptables running on the same server that is running the server that is listening only on local host.
posted by cowmix at 2:04 PM on November 21, 2010
posted by cowmix at 2:04 PM on November 21, 2010
Here's an example, and I think you'll want 5.7 in your scenario:
http://linux-ip.net/html/nat-dnat.html.
Your search terms are "iptables dnat", btw.
Note that you'll probably need to turn on ipv4 forwarding in your kernel parameters, since you're going from one interface to another. Hmm, this should work:
http://www.cyberciti.biz/faq/rhel-centos-fedora-linux-ip-forwarding-tutorial/.
You can also do something like "echo 1 > /proc/sys/net/ipv4/ip_forward" but this won't survive reboot.
Depending on what you're really doing, you may also want to set up a web server to serve static content on 80 and forward dynamic requests to 7777 via some proxy method, but that's beyond the scope of your question.
posted by chengjih at 3:12 PM on November 21, 2010
http://linux-ip.net/html/nat-dnat.html.
Your search terms are "iptables dnat", btw.
Note that you'll probably need to turn on ipv4 forwarding in your kernel parameters, since you're going from one interface to another. Hmm, this should work:
http://www.cyberciti.biz/faq/rhel-centos-fedora-linux-ip-forwarding-tutorial/.
You can also do something like "echo 1 > /proc/sys/net/ipv4/ip_forward" but this won't survive reboot.
Depending on what you're really doing, you may also want to set up a web server to serve static content on 80 and forward dynamic requests to 7777 via some proxy method, but that's beyond the scope of your question.
posted by chengjih at 3:12 PM on November 21, 2010
Instead of iptables, could netcat do it? Something like "netcat -l 80 | netcat localhost 7777".
I only ask because I happened to stumble across the Netcat wikipedia page this week and your problem sounds somewhat like one of the nifty one-off solutions it lists.
posted by losvedir at 4:37 PM on November 21, 2010
I only ask because I happened to stumble across the Netcat wikipedia page this week and your problem sounds somewhat like one of the nifty one-off solutions it lists.
posted by losvedir at 4:37 PM on November 21, 2010
netcat will work, and it may be a useful check that things are working as you expect it to. But there are many ways to accomplish the same goals in unix, and using netcat has a sort of duct-taped feel to it. NAT via iptables is more like using nuts and bolts as your fastener. Using a reverse proxy to divide serving static content from dynamic content is more along the lines of high performance industrial welding. Duct tape may be appropriate in some cases, but it depends on what the original poster is doing.
posted by chengjih at 5:09 PM on November 21, 2010
posted by chengjih at 5:09 PM on November 21, 2010
I think you are looking for this.
You'll have to check the syntax, but something like:
But it would probably be easier to just tell the server to listen on eth0:7777
posted by gjc at 7:31 PM on November 21, 2010
You'll have to check the syntax, but something like:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 7777But it would probably be easier to just tell the server to listen on eth0:7777
posted by gjc at 7:31 PM on November 21, 2010
Netcat is not appropriate because it requires fork()ing and exec()ing two new processes for each connection, which is a lot of overhead for a server that handles a lot of connections. Most server daemons are written to use worker pools or other methods of concurrency to specifically avoid that penalty.
posted by Rhomboid at 1:12 AM on November 22, 2010
posted by Rhomboid at 1:12 AM on November 22, 2010
There are other redirection servers (eg. rinetd) that don't suffer from the same fork-heavy issues as netcat would here. The big downside they all have, other than being a bit duct-tapey, is that every connection the server sees will be coming from localhost - this makes your logs pretty much useless for a lot of things. Using dnat in iptables really is the correct solution.
posted by russm at 2:24 AM on November 22, 2010
posted by russm at 2:24 AM on November 22, 2010
« Older Help me find a soap dish (without having to sell... | New bowl for a KitchenAid food processor Newer »
This thread is closed to new comments.
posted by theNeutral at 1:58 PM on November 21, 2010