-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 James,
On 1/7/20 7:22 PM, James H. H. Lampert wrote: > On 1/7/20 4:17 PM, Christopher Schultz wrote: >> iptables doesn't work on pipes, it works on packets. So you have >> to redirect both incoming AND outgoing packets. That's why you >> have the "output redirect" as well as the (more obvious) "input >> redirect". > > Well, that just leaves me more puzzled than ever: why would our > webapp (and Manager, for that matter) "work just fine" even though > there's no sign of an output redirect in the iptables-save output > (which I posted in its entirety)? I have further confused you, because TCP packets+connections also have state, and I misspoke. For UDP, you'd need the output redirect. The TCP stack knows where the packets from a particular connection came from, so responses along the same connection will go back the way they came (this is NAT). I'm not sure under what circumstances you need an OUTPUT redirect. I seem to remember in my testing that I did indeed require the OUTPUT redirect for things to work properly, but I may be making that up. The slides mention that you "may need" those, and so I went ahead and put the commands into the slides to show how to do it, if necessary. Actually, it's not INPUT and OUTPUT, it's PREROUTING and POSTROUTING. But those are basically the same concept for NAT as INPUT/OUTPUT are for the "filter" tables. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4VKC8ACgkQHPApP6U8 pFjqSRAAtKLif+WBswtmW8jOswhHn2SNRX2jUPm/RYOf7YqEFMYgeunA6GqewcT0 E2AVcBangWNGLuMWaaDhmFb5S4KcgW2c5HlbafBVtdggESkfjzozJnBw+sg6ShbZ SxRQ4Lty/WwczAwduHkOaG7pFIeQlTKLSA1wL5zCJ02hQllYa1CYGIxMRAbwqu/m 1oC0jgiJs1zGXQN7XlgZdTD6uyHuUEhSLzh0it8+QtWEoLtki+LcvRy+Bmv+nEtw ssqHpCX+TD4PnhcLpgFqWzy3DrUJYPUdV6dExnBujrFe2tzBAYtZfDy+Gshb6efo LtGdLwaHgd6BLA71wEUEGMr85o9Opeuu1l3niENP/WaOuELidre3+umAVWr5Ypdq zSGhO6clt6V9JCpXqM1EWh18hjDomKLb6Q1V9hpeTbBodmr8yFGo6D9pv9lddRyD ArXxmqvL3aUSWXb80zrsUuPYXTO+SIbIXJRSJGPVRWM7eCrO8o1VpeTcD1bsXnPz 3l32YDEd6hbWjwLMWKzWu4oIuoZlHiCgsx4Tm2T0KtdBRn2/kStTLIoXOF5s129Y ewZ0ygViiPqnTL1QD1jwnKG7EuAplx9ppKXCRM1MSbbB/+VSjdwDFvQCAnVykLhg IB0AniJsaYP6BnPIGHcihPU3mj7Qp9uGcm/3QeAIwX0ULf1iEKs= =tP73 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
