AW: [jetty-discuss] Change Jetty default port and two IP addresses

[<ber...@em...>]

Hello Chris,

The rule number as argument to -I is optional. If the rule number is not
specified, the new rule is added at the head of the chain.

But you are right and I should explain my problem in detail.

I have this network/interface layout:

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
$ cat /etc/network/interfaces
### etherconf DEBCONF AREA. DO NOT EDIT THIS AREA OR INSERT TEXT BEFORE =
IT.
auto lo
iface lo inet loopback

mapping hotplug
        script grep
        map eth0

auto eth0
iface eth0 inet static
        address 192.168.255.25
        netmask 255.255.255.0
        gateway 192.168.255.253

### END OF DEBCONF AREA.  PLACE YOUR EDITS BELOW; THEY WILL BE =
PRESERVED.

auto eth0:1
iface eth0:1 inet static
        address 192.168.255.81
        netmask 255.255.255.0
        gateway 192.168.255.253=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

As you see I have one interface with a second, virtual IP.

When I now start jetty and let my HttpListener use all interfaces (no =
call
to setHost()) with port 8080, then the rule

    iptables -t nat -I PREROUTING -p tcp --dst 192.168.255.81 --dport 80 =
-j
REDIRECT --to-port 8080 =20

works fine. From a second machine I can make requests against the =
second,
virtual IP (192.168.255.81) and port 80 and these calls are redirected =
by
iptables to port 8080.

When I now modify my jetty.xml to have a line like

    <Set name=3D"Host">192.168.255.81</Set>

to configure the HttpListener to bind itself only to the second, =
virtuell
IP, then the unmodified redirect no longer works. When I now make =
requests
from another machine to the second, virtual IP (192.168.255.81) and port =
80,
the request are no longer redirected. The web browser fails with an =
error
message like =93unable to connect=94. Nevertheless making a request to =
the
second, virtual IP (192.168.255.81) and port 8080 still works =96 which =
is a
proof that the jetty configuration works fine.

The bad news is that a second web server is running on the machine and =
is
bound to the first IP. So I have to restrict jetty to the second IP.


I hope you or someone else can help me here=85

Thanks in advance,

Bernd



-----Urspr=FCngliche Nachricht-----
Von: jet...@li...
[mailto:jet...@li...] Im Auftrag von Chris
Haynes
Gesendet: Samstag, 8. April 2006 00:38
An: jet...@li...
Betreff: Re: [jetty-discuss] Change Jetty default port and two IP =
addresses

Hi again Bernd,

I'm no ipchains expert, but the following may help:

1) You have a syntax error.  The -I (insert) command is required to have =
a
numeric parameter - the specific position in the chain in which you want =
the
rule inserted. You don't have any such parameter.  Rather than add one, =
I
suggest you use -A instead, which just appends the rule to the current =
chain
- that should be enough in your case.

2) I don't think you need two rules, and I'm not sure that mixing =
'--dest'
and '-i' is assisting with clarity.

I would try the following single rule:

-t nat -A PREROUTING -p tcp -i ! eth0  --dport 80 -j  REDIRECT --to-port
8080

The key point here is the triplet  '-i ! eth0'

The '!' declares that this redirection rule is _not_  to be applied if =
the
interface is eth0 - which is pretty much what your free-text requirement
below says.

I can't test this myself, but I hope it helps you make progress.

If you have to come back here again, please be more specific than saying
'without success'. Do you mean no redirection at all happened, that too =
much
redirection happened, that it happend to the wrong ports, etc.  Also, =
use of
the -v (verbose) flag in the rule and a copy of the resulting print-out
would help enormously.


HTH

Chris Haynes


 "Bernd Wellh=F6fer" replied:

Hello Chris,

Thx for your response. Yes I tried the request from another machine...

Cheers,

Bernd

-----Original Message-----
From: jet...@li...
[mailto:jet...@li...] On Behalf Of Chris =
Haynes
Sent: Freitag, 7. April 2006 21:39
To: jet...@li...
Subject: Re: [jetty-discuss] Change Jetty default port and two IP =
addresses

I've not inspected your rules in detail, but can I just make one
observation, which might help.

Are you aware that this port redirection does not apply to packets =
sourced
from your own machine?

In other words, to test whether or not it is working you must try from a
client on a different machine.

I wasted hours wondering why my rules didn't appear to be working until =
I
found this out!

HTH

Chris Haynes

"Bernhard Wellh=F6fer" asked:

> Hello,
>
> my Linux machine has one physical interface eth0 and additionally one=20
> logically interface eth0:1 :
>
> linux-develop:/usr/share/doc/ifupdown/examples# ifconfig -a
> eth0      Link encap:Ethernet  HWaddr 00:50:BA:EE:B4:35
>          inet addr:192.168.255.25  Bcast:192.168.255.255=20
> Mask:255.255.255.0
>          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>          RX packets:34819 errors:0 dropped:0 overruns:0 frame:0
>          TX packets:33864 errors:0 dropped:0 overruns:0 carrier:0
>          collisions:0 txqueuelen:1000
>          RX bytes:5948119 (5.6 MiB)  TX bytes:3104279 (2.9 MiB)
>          Interrupt:10 Base address:0xb400
>
> eth0:1    Link encap:Ethernet  HWaddr 00:50:BA:EE:B4:35
>          inet addr:192.168.255.81  Bcast:192.168.255.255=20
> Mask:255.255.255.0
>          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>          Interrupt:10 Base address:0xb400
>
>
> Jetty binds itself to port 8080 for the logically interface eth0:1 and =

> I now want to add the right iptables rule to redirect port 80 to port=20
> 8080 for eth0:1. It is important that port 80 for eth0 is not =
redirected.
>
> What is the correct rule here? I tried
>
> /sbin/iptables -t nat -I PREROUTING -p tcp --dst 192.168.255.81=20
> --dport 80 -j REDIRECT --to-port 8080
>
> and
>
> /sbin/iptables -t nat -I PREROUTING -p tcp -i eth0:1  --dport 80 -j=20
> REDIRECT --to-port 8080
>
> but without success.
>
> Who can help me here?
>
> Thanks in advance,
>
> Bernd





-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting =
language
that extends applications into web and mobile media. Attend the live =
webcast
and join the prime developer group breaking into this new coding =
territory!
http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D110944&bid=3D241720&dat=3D=
121642
_______________________________________________
jetty-discuss mailing list
jet...@li...
https://lists.sourceforge.net/lists/listinfo/jetty-discuss