-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 All,
On 12/4/16 3:30 PM, Christopher Schultz wrote: > All, > > I'm aware of various techniques to allow Tomcat to serve from port > 80 without using root, but I've never actually tried using them > before. > > I'm trying to use iptables on a bare-metal Linux server running > kernel 3.2 and I'm having no luck. > > I've already got iptables doing other things for me, but adding > this should not be interfering. > > Here's what I've done (following [1]): > > > $ sudo /sbin/iptables -I FORWARD -p tcp \ --destination-port 443 -j > ACCEPT $ sudo /sbin/iptables -t nat -A PREROUTING -j REDIRECT -p > tcp \ --destination-port 443 --to-ports 8443 > > So here are my tables, now: > > $ sudo iptables-save | grep "\(FORWARD\|PREROUTING\)" :PREROUTING > ACCEPT [10:1392] -A PREROUTING -p tcp -m tcp --dport 443 -j > REDIRECT --to-ports 8443 :FORWARD ACCEPT [0:0] -A FORWARD -p tcp -m > tcp --dport 443 -j ACCEPT -A FORWARD -j LOG > > $ telnet localhost 8443 Trying 127.0.0.1... Connected to > localhost. Escape character is '^]'. ^C Connection closed by > foreign host. > > (connects) > > cschultz@europa:~$ telnet localhost 443 Trying 127.0.0.1... telnet: > Unable to connect to remote host: Connection refused > > (fails) > > Oddly enough, both ports 8443 and 443 are accessible from the > outside: > > elsewhere$ telnet myhost 8443 Trying 204.9.143.102... Connected to > europa.chadis.com. Escape character is '^]'. ^CConnection closed by > foreign host. > > elsewhere$ telnet myhost 443 Trying 204.9.143.102... Connected to > europa.chadis.com. Escape character is '^]'. ^CConnection closed by > foreign host. > > Do I need to do something different in order to allow "localhost" > connections to be PREROUTED? > > Thanks, -chris Looks like PREROUTING is ignored for localhost connections... OUTPUT must be used instead: $ sudo iptables -t nat -I OUTPUT -p tcp -o lo \ --dport 443 -j REDIRECT --to-ports 8443 I'm going to add this to the wiki, just in case anyone else is puzzled as to why localhost doesn't work given the existing instructions. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJYRH3AAAoJEBzwKT+lPKRYXkwP/RJ4KUBrRgzphrBg/IZfpbFQ qkS59nAM7BZB6RyjSl3bbxAOIUGZ6+Yar0sKJcWTzx6DdSKYK4tedEz4zc7NWK+o z5UK9k6FU+c7Qi+4ibbT3XoViwCc9m4c+8fuwbhinkEt84dbMN8CZp7+WZmzym66 RsIKU9pWjCifLSA0bXg6wPrPmIJ4yIrP3p41Y/UIeFxPfXSdXpjl7C/G7QOhrMIi op1Db9h0lUn6HG/zQSeDZ9fWlWrXjdk2Q8nsESLWGYR3ihz1Aso8eQ9tJnJia1dJ Ph+6l9u5Y5/LePMwCOJOGvL5SYhz2wsDaBSItLu7mONqMJLNXGydlm5WxE5KR4xr FsUqFrQysctmhc6VuprYhPXvmic9hcxCW1B0Eu4+1nuOLziO7xJKn4haRoRldzg7 7T7FqcP8WVxSBJeLS/SC6NAayBSDYoehE/Qn9qgzmEQFgohtxONu661b2LqoWdxJ 7G1K3ili0txg2ew3drj1JCZjPIClRmxpYbs5SC3W6Jrye5dJRGqIL9fAG53s44rM uXQxcsv48XXqpX06P7Oq47K8Z2zAotEQl8zufoDEEWxCHCzvZ+FbAWacTOE8OT/K uhGfmJkTu4IH2H7EdwsnfkTPGNw02qmoti8Yt/t5bpV6/idL4MwnSqWQMGzI2+af ZPC+N6ekZ5ry8JsdorhZ =ARK1 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
