I'm running IP tables with the addition that it's possible for the apps to talk
on port 80.
This is the script I'm using:
#!/bin/sh
IPTABLES=/sbin/iptables
EXTERNAL_IP=<external IP> # The IP-address of the external
interface of the firewall
EXTERNAL_INTERFACE=eth0 # The external interface, if using -i
instead of -d.
EXTERNAL_PORT=80 # The port to be forwarded
EXTERNALSSL_PORT=443 # SSL The port to be forwarded
INTERNAL_IP=192.168.0.1 # The IP-address of the internal
interface of the firewall
INTERNAL_MACHINE_IP=127.0.0.1 # The IP-address of the machine on the
internal network to be forwarded to.
INTERNAL_MACHINE_PORT=8180 # The port to be forwarded to
INTERNALSSL_MACHINE_PORT=8280 # SSL The port to be forwarded to
case "$1" in
start)
echo -n "Starting IP Firewall and NAT..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# Clear old rules
$IPTABLES -X
$IPTABLES -F
$IPTABLES -Z
# Add rule for translation ports, first incoming from external
interface, then from internal requests (Needed for preview)
$IPTABLES -t nat -A PREROUTING -p tcp --dport $EXTERNAL_PORT -i
$EXTERNAL_INTERFACE -j REDIRECT --to-port $INTERNAL_MACHINE_PORT
$IPTABLES -t nat -A OUTPUT -p tcp -d $EXTERNAL_IP --dport
$EXTERNAL_PORT -j DNAT --to-destination
$INTERNAL_MACHINE_IP:$INTERNAL_MACHINE_PORT
$IPTABLES -t nat -A PREROUTING -p tcp --dport $EXTERNALSSL_PORT -i
$EXTERNAL_INTERFACE -j REDIRECT --to-port $INTERNALSSL_MACHINE_PORT
$IPTABLES -t nat -A OUTPUT -p tcp -d $EXTERNAL_IP --dport
$EXTERNALSSL_PORT -j DNAT --to-destination
$INTERNAL_MACHINE_IP:$INTERNALSSL_MACHINE_PORT
echo "done."
;;
stop)
echo -n "Stopping IP Firewall and NAT..."
$IPTABLES -X
$IPTABLES -F
$IPTABLES -Z
$IPTABLES -F PREROUTING -t nat
$IPTABLES -F OUTPUT -t nat
echo "done."
;;
restart)
echo -n "Restarting IP Firewall and NAT..."
$0 stop > /dev/null
sleep 1
$0 start > /dev/null
;;
*)
echo "Usage: $0 {start|stop|restart}"
;;
esac
-----Originalmeddelande-----
From: Paul Singleton [EMAIL PROTECTED]
Date: Fri, 20 Oct 2006 01:22:30 +0200
To: Tomcat Users List [email protected]
Subject: Re: IPTABLES
> Christopher Schultz wrote:
>
> > Apache httpd is configured out of the box to start up as root, bind to
> > port 80 (or really any port), and then drop its privileges to the httpd
> > user. Without some really nasty code, Tomcat is unable to do the same
> > thing, so we're forced to do silly things like internal port forwarding,
> > etc.
>
> The "root-only-access-to-low-ports" policy of
> Linux is a legacy from the days when Unix systems
> were typically multi-user: it is a heavy-handed way
> of stopping the oiks from running unauthorised
> servers.
>
> In a secure server it is unnecessary, indeed
> counterproductive when it tempts us to run services
> as root, or to use tricksy workarounds.
>
> Linux should make this switch-offable (without
> having to recompile the kernel).
>
> The only problem I've found with standalone Tomcat
> plus iptables port forwarding (apart from the need
> to understand iptables :-)) is that web apps can't
> make requests to themselves at port 80, but have to
> use 8080 or whatever.
>
> Paul Singleton
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: [email protected]
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
---------------------------------------------------------------------
To start a new topic, e-mail: [email protected]
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
