Re: TC 5 production use -- iptables to make it work without root

Mon, 09 Feb 2004 09:26:37 -0800 

> Only for port redirection you don't need to buy any hardware.
> If you are running tomcat inside a linux box, you can configure iptables
> to do the port redirection. Everything via software, no hardware.
>
> Vitor

You are absolutely correct.  In fact, I've abandoned JSVC precisely because
I can do this.  This is great because not only do you need the extra JSVC,
but you don't need to start as root at all.

For example, here are the iptables rules I use under RH 9 to effect what
Vitor is saying:

(If you're using the /etc/rc.d/init.d/iptables script, this is the control
file for it -- of course, you could do this "manually" by simply putting the
command 'iptables' in front of these lines and assuming that your INPUT
chain jumps to the YOZONS-BPN-INPUT )

-A YOZONS-BPN-INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j
ACCEPT
-A YOZONS-BPN-INPUT -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j
ACCEPT
-A YOZONS-BPN-INPUT -p tcp -m tcp --dport 8080 --tcp-flags SYN,RST,ACK
SYN -j ACCEPT
-A YOZONS-BPN-INPUT -p tcp -m tcp --dport 8443 --tcp-flags SYN,RST,ACK
SYN -j ACCEPT

The above lines are assuming you block all access to your system except for
what you let in.  This allows the INPUT packets to come in on the standard
ports of 80 and 443 (only 443 if you need HTTPS) as well as the "tomcat"
ports of 8080 and 8443.

Then, using the NAT commands (on iptables table "-t nat") to do port
redirecting:

-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080

This maps the production ports to the tomcat listening ports.

In your tomcat server.xml file, continue to use the 8080/8443 Connector
ports, and if you need 8080 to redirect to SSL, I'd suggest you redirect to
443 (the standard port).  You could have it redirect to 8443, but then the
8443 will appear in all your URLs and if your visitors have an egress
firewall, they likely won't be able to reach your system, so it looks like:

    <Connector port="8080"
               maxThreads="20" minSpareThreads="10" maxSpareThreads="10"
               enableLookups="false" redirectPort="443" acceptCount="100"
               debug="0" connectionTimeout="20000"
               disableUploadTimeout="true" maxPostSize="100000000" />


Good luck,
David


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to