First of all, I have to precise that I'm not a sysadmin, and you may not assume that the things as explained here are best way to handle the problem, or just that this is a correct one. This worked for me yesterday night, and I share my notes here so that I'll find this easier next time, and hoping that someone will find this useful and time saving.

The problem

Why whould you want to do port redirection?
If you want to put a web server on internet it would be great to have it run on standard http port (80), as many company proxies just refuse to connect on other ports. You can think to just configure tomcat's server.xml to run on port 80 instead of the default one, at 8080. Using unix, this would work only if you run tomcat as priviledged user (root) because of common users cannot bind port under 1024.
"What's the problem?" could you say, but - believe me - leving a server online with tomcat running with root priviledges can be a very bad idea.
So, resuming, the problem is:

  1. you would like to bind tomcat on http port
  2. you want to run tomcat with a restricted user, to avoid hackers to gain root privileges
  3. ...but restricted users cannot bind http port (1 & 2 are in conflict)

Possible Solutions

There may be many solutions to this problem. Searching the net I've found an article titled "Running JSP Through Apache with mod_jk2" explaining how to work around this limtation. There are three possibilities:

  1. Accessing Tomcat on Port 80 (running tomcat as root)
  2. Forwarding Incoming Port 80 requests to Port 8080 using iptables
  3. Using Apache to forward incoming requests on http port to tomcat on port 8080 (mod_jk2)
The first possibility is the root of my problem, not a solution :-). And also the mentioned article says that it's not a great idea. Using iptables (configuring unix firewall) could be a good solution. Also using apache can be good and I don't like to add useless software layers ("just forwarding" is useless, imho), as additional layers too often add complessity to systems. So I choosed to use iptables port forwarding.

Iptables howto

Being a windows user, and not knowing much about unix administration, the first thing I searched over the net was the command to be typed to do port forwarding. I ever didn't know anything about iptables.
After some tries I find this:

hal9000:~# iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
hal9000:~# iptables-save

I tried at command line and it worked: request on http port were forwarded to tomcat! So, iptables is the solution. But after a reboot those rules were lost: the problem now is "how to make those rules persistent thru reboots?". Before continuing the search over the net I tried "man iptables" then looking on my own hard disk I found a little howto in /usr/share/doc/iptables/README.Debian.gz.
Reading it (Chap "3. running iptables"), I've met a new utility: "The closest to standard is the ipmasq package". I like to do things close to standards.
Things to do now:

  1. prepare a "self-written or acquired scripts to run at system startup" into /etc/init.d
  2. use update-rc.d to update the SysV run level processes
I tried to run ipmasq and I got a "command not found" error. This is a problem for apt-get :-). I've installed ipmasq using the command "apt-get install ipmasq". After instal, the setup ask for some options and I just leaved the defaults. After an installation is always a good idea to run "mandb" command to update man databases.
Then I typed at command line:

hal9000:~# ipmasq -v
#: Interfaces found:
...ipmasq displayed lot of default settings here...

Good: ipmasq is there.
Now it's time for the scripts. To configure ipmasq you have to create a file <filename>.rul in /etc/ipmasq/rules path. Here's the mine:

hal9000:~# cat /etc/ipmasq/rules/F00chain.rul
#:
#: **********************************************************
#: *** FORWARD CHAIN ***
#: **********************************************************
#: $IPTABLES -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

Now we've to configure SysV init system to run ipmasq on startup. Taking example from /etc/init.d/skeleton file, I've written following script:

hal9000:/etc/init.d# cat /etc/init.d/ipmasq
#! /bin/sh
#
# ipmasq.init           Set up IP Masquerading for Debian systems
#

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DESC="Firewall"
NAME=ipmasq
DAEMON=/usr/sbin/$NAME
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME

# Gracefully exit if the package has been removed.
test -x $DAEMON || exit 0

#
#       Function that starts the daemon/service.
#
d_start() {
    $DAEMON
}

case "$1" in
    start|restart|force-reload)
        echo -n "Starting $DESC: $NAME"
        d_start
        echo "."
        ;;
    stop)
        ;;
    *)
        echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
        exit 1
        ;;
esac

exit 0

hal9000:/etc/init.d# chmod 755 /etc/init.d/ipmasq
        

Notice that you have to chmod 755 the file (as shown upon) as it needs to be executable.
Then we've to update SysV runlevels procedures with following command (and its output):

hal9000:/etc/init.d# update-rc.d ipmasq defaults 10
 Adding system startup for /etc/init.d/ipmasq ...
   /etc/rc0.d/K10ipmasq -> ../init.d/ipmasq
   /etc/rc1.d/K10ipmasq -> ../init.d/ipmasq
   /etc/rc6.d/K10ipmasq -> ../init.d/ipmasq
   /etc/rc2.d/S10ipmasq -> ../init.d/ipmasq
   /etc/rc3.d/S10ipmasq -> ../init.d/ipmasq
   /etc/rc4.d/S10ipmasq -> ../init.d/ipmasq
   /etc/rc5.d/S10ipmasq -> ../init.d/ipmasq

This command says to create links to /etc/init.d/ipmasq script for all runlevels at position 10: you see that created files contains "K10" and "S10" in their name, they are the startup and kill links for the service. Runlevels links are executing in order by their name, so 10 means that our script will be executed quite early.

We've done. At next reboot we should see "Starting Firewall: ipmasq" message before the login prompt. Now - if all went right - your firewall should forward http request to port 8080. And you can run tomcat on port 8080 with a restricted user, and access it from internet on standard http port.

...and now you know it :-)


7 Responses to “How to do port redirection with Debian (and doing so, securing Tomcat)”  

  1. 1 Joe Quinn

    Hi,

    I would like to use iptables to do a port forward on unix. Iptables isnt already installed on my unix machine. Using searches all i seem to be able to find are install instructions for linux. Where can i find install instructions for iptables for unix?

    Cheers,
    Joe.

  2. 2 Luigi

    it depends on which distribution you are using.

    on debian it should be:

    # apt-get install iptables

    check it out: Debian Package Managing Survival Guide.

    Otherwise you can download iptables source and install it from the sources as usual:

    ./config
    make
    make install

  3. 3 William

    Thank you so much for posting this. This made everything a lot easier. BTW, this page is the top Google result for ‘debian tomcat port 80′

  4. 4 Luigi

    Thanks for the news William. Google rocks!

  5. 5 yamabushitriste

    It works great, but in /etc/ipmasq/rules/F00chain.rul i had to modify the string:

    #: $IPTABLES -t nat -I PREROUTING -p tcp –dport 80 -j REDIRECT –to-port 8080

    with

    iptables -t nat -I PREROUTING -p tcp –dport 80 -j REDIRECT –to-port 8080

    :-)

    Anyway thanks a lot, simple and working.

  6. 6 Nathan Zadoks

    @Joe Quinn
    Iptables is a Linux thing – other unixes may offer something alike though.
    Although chances are you aren’t running UNIX, but a modern commercial unix offering or BSD.

  7. 7 Woccz

    Hi hal! I think there is another way – adding the iptables command to rc.local, so that it is executed every time the system boots. Your solution is, however, better. Thanks!

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>



Calendar

June 2005
M T W T F S S
    Jul »
 12345
6789101112
13141516171819
20212223242526
27282930  

Follow me

twitter flickr LinkedIn feed

Subscribe by email

Enter your email address:

Archives


Categories

Tag Cloud


Listening