File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Linux / UNIX and the fly likes Port Forwarding on Ubuntu without Apache Server Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Linux / UNIX
Bookmark "Port Forwarding on Ubuntu without Apache Server" Watch "Port Forwarding on Ubuntu without Apache Server" New topic
Author

Port Forwarding on Ubuntu without Apache Server

Joe Harry
Ranch Hand

Joined: Sep 26, 2006
Posts: 9629
    
    2

I have my Webapp running on Ubuntu VM and I would like to forward or make it such that a call to my doman (www.mydomain.com) is automatically forwarded to port 8080. Right now I have to do www.mydomain.com:8080 and I would like that to happen automatically instead of me typing 8080 everytime. The VM does not have Apache server. Do I need it? Is there any other alternative to set this up?


SCJP 1.4, SCWCD 1.4 - Hints for you, Certified Scrum Master
Did a rm -R / to find out that I lost my entire Linux installation!
Maneesh Godbole
Saloon Keeper

Joined: Jul 26, 2007
Posts: 10535
    
    9

Are you running Tomcat? If yes check out http://www.coderanch.com/t/81669/Tomcat/remove-port-number-URL


[How to ask questions] [Donate a pint, save a life!] [Onff-turn it on!]
Joe Harry
Ranch Hand

Joined: Sep 26, 2006
Posts: 9629
    
    2

Maneesh Godbole wrote:Are you running Tomcat? If yes check out http://www.coderanch.com/t/81669/Tomcat/remove-port-number-URL


No. It is not Tomcat, but rather a Play framework that uses the Netty server.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16308
    
  22

The port number is not part of the DNS address returned by the DNS name resolver. That only gives an IP address. It is a convention hard-coded into web clients that when you send out a URL HTTP request without a specific port number in the URL, the targeted port will be port 80, just as an HTTPS request will target port 443.

Both of these ports are below the magic line at port 4096, meaning that only privileged (root) users can open and listen to them. That's a security vulnerability, so I don't recommend running Tomcat or for that matter most J2EE webapp servers wired directly on ports 80/443. To get around that you can either do port forwarding or use a proxy.

Apache is one popular proxy, because it allows a single point of service for both Java and non-Java web applications and because it has a wealth of plugins and features such as URL rewriting. It also makes a good load-balancing front-end.

Squid is also popular. Unlike Apache, it isn't intended to be a general container for webapps itself, but it's designed specifically to be a proxy server.

Other products are also capable of operating as proxies. Although actually, it's a rare Ubuntu server system that doesn't have Apache2 installed on it.


The other possibility is to use true port forwarding. This can be done at the router for handling requests coming in from outside the LAN. Or you can do it at the local level, either at the VM host or guest levels. The easiest way to do that is to simple set up an IPTABLES forwarding rule. Here's an example that not only does port translation, it routes to a designated VM at another IP address.



Customer surveys are for companies who didn't pay proper attention to begin with.
Joe Harry
Ranch Hand

Joined: Sep 26, 2006
Posts: 9629
    
    2

I do have the possibility to install Apache server, but I'm very much limited on my RAM, so I would probably not install Apache. I will try if I can set IPTABLES rules on my VM host. I've never done that before. Could you please elaborate a bit on which file I should modify to set the IPTABLES configuration for port forwarding?
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16308
    
  22

I just checked my production server and Apache processes were pulling 32M virtual, which is humongous compared to some systems I've run - including IBM mainframes - but not that much in an era where a single JVM needs over 100M.

Still, if you don't need that much flexibility, why go to the trouble.

I haven't dug into an Ubuntu system lately, but the Red Hat distros keep a persistent copy of the IPTABLES in /etc/sysconfig/iptables. Since networking is one of the places where configuration differs most between Debian's heirs and Red Hat's, I'd check to see if there's something under /etc/network - or look at the /etc/init.d/iptables initscript and see where the iptables save and load commands do their dump/restores.

The easiest way to modify IPTABLES is to simply manually insert the new rule into the running system. The "iptables -t nat -L --line-number -n" command can show you the current rules in effect and that will assist you in picking where to best insert the new rule. The "nat" tables may be empty, depending on what other things have been configured. Once you have the rule inserted and tested, you can do an "/etc/init.d/iptables save" to make it permanent.

Some systems are migrating to the Shorewall firewall. I'm moving one of mine, in fact. Shorewall makes a much more complicated firewall, but the advantage is that it's done using well-documented config files which make it more obvious what you're actually controlling. And allow you to comment the rules so you'll know WHY this weird IP address you have a rule for is there.

You may need to pair your NAT rule with a reverse-NAT rule. There's some good examples and instructions if you Google for them.
Joe Harry
Ranch Hand

Joined: Sep 26, 2006
Posts: 9629
    
    2

Tim Holloway wrote:The "iptables -t nat -L --line-number -n" command can show you the current rules in effect and that will assist you in picking where to best insert the new rule. The "nat" tables may be empty, depending on what other things have been configured. Once you have the rule inserted and tested, you can do an "/etc/init.d/iptables save" to make it permanent.


That gave me the following output:


Frankly speaking, I do not understand a word of it. Could you infer something from that and help me further? My understanding is that I just have to do the following on my Ubuntu VM host to route all in coming requests to my domain to go to the landing page of my application:


Do I just run it?
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16308
    
  22

Simplicity. There are 3 chains in the "nat" table: PREROUTING, POSTROUTING and OUTPUT. The PREROUTING chain processes incoming traffic before it goes to the main iptable's INPUT and FORWARD chains (depending on what's being routed). The POSTROUTING chain processes traffic after it has left the main iptable's OUTPUT chain right before it goes out through the Network Interface.

There is really good documentation on IPTABLES, including useful illustrations on traffic flow and I recommend it for anyone who wants to maintain a firewall or do network traffic routing and shaping. Their home is at netfilter.org, but one of the first places I like to go to get the "5-minute introduction" to new technologies is the Wikipedia.

Here's what a nat table with active chains looks like:


Don't expect to make too much sense of this, since part of what's in there was set up by my VM network manager, but if you'll look at the PREROUTING chain, you'll notice that I take all SMTP traffic headed to 216.199.14.29 and redirect it to an internal IP address and likewise the HTTP traffic for 216.199.14.17. That's because 10.0.0.2 is where my mailserver VM sits on the internal LAN and 10.0.0.6 is the VM that hosts www.mousetech.com.
Joe Harry
Ranch Hand

Joined: Sep 26, 2006
Posts: 9629
    
    2

I tried running it: Here is what I get!

Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16308
    
  22

How did it work for you?

You actually defined a rule that takes EVERYTHING targeting tcp port 80 and sends it to localhost port 80 regardless of where it came from or where it's going to. You might want to narrow that down to something more specific for a destination IP address.

I'm not sure, but I think probably a "real" IP address would be better than the internal localhost IP also. Traffic on localhost tends to be handled a bit differently and there might even be security issues.
Joe Harry
Ranch Hand

Joined: Sep 26, 2006
Posts: 9629
    
    2

You mean to say I just do the following:



How to remove the old entry?
Joe Harry
Ranch Hand

Joined: Sep 26, 2006
Posts: 9629
    
    2

Did the following to remove the entry:

Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16308
    
  22

Well, assuming that you're simply redirecting from 80 to 8080 in the same machine, this would be better:


Otherwise, as I mentioned, you could end up redirecting stuff that may be intended to go somewhere else.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16308
    
  22

Remove unwanted entries using the line number diplayed with the --line-number option of the "-L" (list) command:



Deletes rule #3 on the PREROUTING chain of the nat table.
Joe Harry
Ranch Hand

Joined: Sep 26, 2006
Posts: 9629
    
    2

Is the --dest option --destination?

Just posting this for reference:

To add:


To Remove:

Joe Harry
Ranch Hand

Joined: Sep 26, 2006
Posts: 9629
    
    2

That is strange now. I just started my web app and it says the following:


How did it manage to see 8 zeros?

The port forwarding still seems not to work! I still have to do www.mydmain.com:8080
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16308
    
  22

That's an IPV6 address.

If this message is from your Java server, then you need to look at the JVM command-line options. Some JVMs came up in IPV6-only mode, but we're still mostly an IPV4 world.
Joe Harry
Ranch Hand

Joined: Sep 26, 2006
Posts: 9629
    
    2

Tim Holloway wrote:That's an IPV6 address.

If this message is from your Java server, then you need to look at the JVM command-line options. Some JVMs came up in IPV6-only mode, but we're still mostly an IPV4 world.


Aha! But what has that got to do with port forwarding? Understanding this is like unraveling some mystery. I'm enjoying it!
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16308
    
  22

Nothing, as such. You could also forward port 8080 on the IPV6 address, but unless there are other messages in the log, the server isn't listening to anything on the IPV4 port 8080, whether it's forwarded or not.
Joe Harry
Ranch Hand

Joined: Sep 26, 2006
Posts: 9629
    
    2

I added _JAVA_OPTIONS to favor IpV4. I will upload my app shortly and let me see what happens this time!
Joe Harry
Ranch Hand

Joined: Sep 26, 2006
Posts: 9629
    
    2

Java Options seem to work. This is what I did in my .bashrc file:



And when I start my play application server, I see the following which looks good:



But strangely still, I need to do www.mydomain.com:8080. Why is this? Any idea? Is there anything that I'm missing? Here is what the iptables show like:



I appreciate all your help!
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16308
    
  22

Here's an alternate way to forward within an IP address:


You probably also need to open up port 80 in the main INPUT or FORWARD iptable (-j ACCEPT). I put a "-j LOG" rule in at the end of my chain to let me know when the firewall has blocked something.
Joe Harry
Ranch Hand

Joined: Sep 26, 2006
Posts: 9629
    
    2

I will try this tonight and post my findings! Thanks for that!
Joe Harry
Ranch Hand

Joined: Sep 26, 2006
Posts: 9629
    
    2

Tim Holloway wrote:
You probably also need to open up port 80 in the main INPUT or FORWARD iptable (-j ACCEPT). I put a "-j LOG" rule in at the end of my chain to let me know when the firewall has blocked something.


How do I do this? Can you please elaborate?
Joe Harry
Ranch Hand

Joined: Sep 26, 2006
Posts: 9629
    
    2

This is what I did and this is what I see now:


It still sort of fails. Should I restart my VM so that these changes take effect? I'm really helpless here. What I also noticed is that when I tried the following URL:

www.mydomain.com:80, I got a page not found, but the URL got redirected to www.mydomain.com. But when I tried www.mydomain.com:9000 or anything else, the url remained the same even after getting a page not found error.
Joe Harry
Ranch Hand

Joined: Sep 26, 2006
Posts: 9629
    
    2

Strangely I went ahead and rebooted my system just to find that all my settings in the iptables are not there anymore. This is what I see after reboot!

Joe Harry
Ranch Hand

Joined: Sep 26, 2006
Posts: 9629
    
    2

After fiddling around, finally... finally.... I was able to get this setup. I only need to add the following:



and bang it worked! Thank you very much Tim for all the help!
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Port Forwarding on Ubuntu without Apache Server