Internal port forwarding SuSE

Hi everyone,

I have a Linux box which has mutliple IP's and I have the following two
IP table rules:

iptables -t nat -A PREROUTING -d 192.168.1.1
-p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -d 192.168.1.2
-p tcp --dport 80 -j REDIRECT --to-port 8081

It has two separate DNS entries for these IPs. Now from the outside this
works perfectly, but locally it doesn't. How can I rewrite these rules
to also work locallly?

Thanks in advance,
Vincent

Vincent van Beveren wrote:
> I have a Linux box which has mutliple IP's and I have the following two
> IP table rules:
>
> iptables -t nat -A PREROUTING -d 192.168.1.1
> -p tcp --dport 80 -j REDIRECT --to-port 8080
> iptables -t nat -A PREROUTING -d 192.168.1.2
> -p tcp --dport 80 -j REDIRECT --to-port 8081
>
> It has two separate DNS entries for these IPs. Now from the outside this
> works perfectly, but locally it doesn't. How can I rewrite these rules
> to also work locallly?

Hi Vincent,

I may be oversimplifying things here, but wouldn't it be easier to just
have your daemon (I take it it's a web server) listen on port 80 of the
two IP addresses you listed?

Just a thought,

Steve

Steve Maddison wrote:
> Vincent van Beveren wrote:
>>
>> iptables -t nat -A PREROUTING -d 192.168.1.1
>> -p tcp --dport 80 -j REDIRECT --to-port 8080
>> iptables -t nat -A PREROUTING -d 192.168.1.2
>> -p tcp --dport 80 -j REDIRECT --to-port 8081
>>
>> It has two separate DNS entries for these IPs. Now from the outside this
>> works perfectly, but locally it doesn't. How can I rewrite these rules
>> to also work locallly?
> [...]
> I may be oversimplifying things here, but wouldn't it be easier to just
> have your daemon (I take it it's a web server) listen on port 80 of the
> two IP addresses you listed?
>

Hi Steve,

Thanks for your reply. It would possible if the webserver (as you
assumed correctly) was running as root. But as far as I know I can't run
a process as someone other than root when the port assignment is below
1024 and for security reasons we don't want the daemon to run as root.

Vincent

Vincent van Beveren wrote:
> Thanks for your reply. It would possible if the webserver (as you
> assumed correctly) was running as root. But as far as I know I can't run
> a process as someone other than root when the port assignment is below
> 1024 and for security reasons we don't want the daemon to run as root.

Most daemons these days start up as root then drop their priveleges and
run as a different user. This way the process is able to open the
priveleged port and yet does not (after initialisation) run as root. May
be something worth looking into before going any further with all that
NAT stuff.

--Steve

> Most daemons these days start up as root then drop their priveleges and
> run as a different user. This way the process is able to open the
> priveleged port and yet does not (after initialisation) run as root. May
> be something worth looking into before going any further with all that
> NAT stuff.
>
> --Steve

Hi Steve,

Is that a feature the deamon itself should support, or is there a
command I should execute after starting the deamon? I haven't been able
to find anything on this subject.

Thanks,
Vincent

Vincent van Beveren wrote:
> Is that a feature the deamon itself should support, or is there a
> command I should execute after starting the deamon? I haven't been able
> to find anything on this subject.

AFAIK it is something the daemon itself has to do. If it supports it,
you should find somthing in the docs. Otherwise browse through the
configuration file(s) and see if there's anything about users/groups in
there.

--Steve

>
> AFAIK it is something the daemon itself has to do. If it supports it,
> you should find somthing in the docs. Otherwise browse through the
> configuration file(s) and see if there's anything about users/groups in
> there.

I know this software almost inside out, and there is no such option.
Because its a java app, it'll be hard to invoke any native api to switch
the user. So, if nobody knows a command-line utility that might do the
the trick I'll have to use the port redirect which still doesn't
function locally.

Thanks for your input so far though!
Vincent