• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Liutauras Vilda
  • Jeanne Boyarsky
  • paul wheaton
Sheriffs:
  • Ron McLeod
  • Devaka Cooray
  • Henry Wong
Saloon Keepers:
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Tim Moores
  • Mikalai Zaikin
Bartenders:
  • Frits Walraven

Port Forwarding on Ubuntu without Apache Server

 
Ranch Hand
Posts: 10198
3
Mac PPC Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have my Webapp running on Ubuntu VM and I would like to forward or make it such that a call to my doman (www.mydomain.com) is automatically forwarded to port 8080. Right now I have to do www.mydomain.com:8080 and I would like that to happen automatically instead of me typing 8080 everytime. The VM does not have Apache server. Do I need it? Is there any other alternative to set this up?
 
Bartender
Posts: 11497
19
Android Google Web Toolkit Mac Eclipse IDE Ubuntu Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Are you running Tomcat? If yes check out https://coderanch.com/t/81669/Tomcat/remove-port-number-URL
 
Joe San
Ranch Hand
Posts: 10198
3
Mac PPC Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Maneesh Godbole wrote:Are you running Tomcat? If yes check out https://coderanch.com/t/81669/Tomcat/remove-port-number-URL



No. It is not Tomcat, but rather a Play framework that uses the Netty server.
 
Saloon Keeper
Posts: 28323
210
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The port number is not part of the DNS address returned by the DNS name resolver. That only gives an IP address. It is a convention hard-coded into web clients that when you send out a URL HTTP request without a specific port number in the URL, the targeted port will be port 80, just as an HTTPS request will target port 443.

Both of these ports are below the magic line at port 4096, meaning that only privileged (root) users can open and listen to them. That's a security vulnerability, so I don't recommend running Tomcat or for that matter most J2EE webapp servers wired directly on ports 80/443. To get around that you can either do port forwarding or use a proxy.

Apache is one popular proxy, because it allows a single point of service for both Java and non-Java web applications and because it has a wealth of plugins and features such as URL rewriting. It also makes a good load-balancing front-end.

Squid is also popular. Unlike Apache, it isn't intended to be a general container for webapps itself, but it's designed specifically to be a proxy server.

Other products are also capable of operating as proxies. Although actually, it's a rare Ubuntu server system that doesn't have Apache2 installed on it.


The other possibility is to use true port forwarding. This can be done at the router for handling requests coming in from outside the LAN. Or you can do it at the local level, either at the VM host or guest levels. The easiest way to do that is to simple set up an IPTABLES forwarding rule. Here's an example that not only does port translation, it routes to a designated VM at another IP address.

 
Joe San
Ranch Hand
Posts: 10198
3
Mac PPC Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I do have the possibility to install Apache server, but I'm very much limited on my RAM, so I would probably not install Apache. I will try if I can set IPTABLES rules on my VM host. I've never done that before. Could you please elaborate a bit on which file I should modify to set the IPTABLES configuration for port forwarding?
 
Tim Holloway
Saloon Keeper
Posts: 28323
210
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I just checked my production server and Apache processes were pulling 32M virtual, which is humongous compared to some systems I've run - including IBM mainframes - but not that much in an era where a single JVM needs over 100M.

Still, if you don't need that much flexibility, why go to the trouble.

I haven't dug into an Ubuntu system lately, but the Red Hat distros keep a persistent copy of the IPTABLES in /etc/sysconfig/iptables. Since networking is one of the places where configuration differs most between Debian's heirs and Red Hat's, I'd check to see if there's something under /etc/network - or look at the /etc/init.d/iptables initscript and see where the iptables save and load commands do their dump/restores.

The easiest way to modify IPTABLES is to simply manually insert the new rule into the running system. The "iptables -t nat -L --line-number -n" command can show you the current rules in effect and that will assist you in picking where to best insert the new rule. The "nat" tables may be empty, depending on what other things have been configured. Once you have the rule inserted and tested, you can do an "/etc/init.d/iptables save" to make it permanent.

Some systems are migrating to the Shorewall firewall. I'm moving one of mine, in fact. Shorewall makes a much more complicated firewall, but the advantage is that it's done using well-documented config files which make it more obvious what you're actually controlling. And allow you to comment the rules so you'll know WHY this weird IP address you have a rule for is there.

You may need to pair your NAT rule with a reverse-NAT rule. There's some good examples and instructions if you Google for them.
 
Joe San
Ranch Hand
Posts: 10198
3
Mac PPC Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:The "iptables -t nat -L --line-number -n" command can show you the current rules in effect and that will assist you in picking where to best insert the new rule. The "nat" tables may be empty, depending on what other things have been configured. Once you have the rule inserted and tested, you can do an "/etc/init.d/iptables save" to make it permanent.



That gave me the following output:


Frankly speaking, I do not understand a word of it. Could you infer something from that and help me further? My understanding is that I just have to do the following on my Ubuntu VM host to route all in coming requests to my domain to go to the landing page of my application:


Do I just run it?
 
Tim Holloway
Saloon Keeper
Posts: 28323
210
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Simplicity. There are 3 chains in the "nat" table: PREROUTING, POSTROUTING and OUTPUT. The PREROUTING chain processes incoming traffic before it goes to the main iptable's INPUT and FORWARD chains (depending on what's being routed). The POSTROUTING chain processes traffic after it has left the main iptable's OUTPUT chain right before it goes out through the Network Interface.

There is really good documentation on IPTABLES, including useful illustrations on traffic flow and I recommend it for anyone who wants to maintain a firewall or do network traffic routing and shaping. Their home is at netfilter.org, but one of the first places I like to go to get the "5-minute introduction" to new technologies is the Wikipedia.

Here's what a nat table with active chains looks like:


Don't expect to make too much sense of this, since part of what's in there was set up by my VM network manager, but if you'll look at the PREROUTING chain, you'll notice that I take all SMTP traffic headed to 216.199.14.29 and redirect it to an internal IP address and likewise the HTTP traffic for 216.199.14.17. That's because 10.0.0.2 is where my mailserver VM sits on the internal LAN and 10.0.0.6 is the VM that hosts www.mousetech.com.
 
Joe San
Ranch Hand
Posts: 10198
3
Mac PPC Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I tried running it: Here is what I get!

 
Tim Holloway
Saloon Keeper
Posts: 28323
210
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
How did it work for you?

You actually defined a rule that takes EVERYTHING targeting tcp port 80 and sends it to localhost port 80 regardless of where it came from or where it's going to. You might want to narrow that down to something more specific for a destination IP address.

I'm not sure, but I think probably a "real" IP address would be better than the internal localhost IP also. Traffic on localhost tends to be handled a bit differently and there might even be security issues.
 
Joe San
Ranch Hand
Posts: 10198
3
Mac PPC Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You mean to say I just do the following:



How to remove the old entry?
 
Joe San
Ranch Hand
Posts: 10198
3
Mac PPC Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Did the following to remove the entry:

 
Tim Holloway
Saloon Keeper
Posts: 28323
210
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Well, assuming that you're simply redirecting from 80 to 8080 in the same machine, this would be better:


Otherwise, as I mentioned, you could end up redirecting stuff that may be intended to go somewhere else.
 
Tim Holloway
Saloon Keeper
Posts: 28323
210
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Remove unwanted entries using the line number diplayed with the --line-number option of the "-L" (list) command:



Deletes rule #3 on the PREROUTING chain of the nat table.
 
Joe San
Ranch Hand
Posts: 10198
3
Mac PPC Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Is the --dest option --destination?

Just posting this for reference:

To add:


To Remove:

 
Joe San
Ranch Hand
Posts: 10198
3
Mac PPC Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That is strange now. I just started my web app and it says the following:


How did it manage to see 8 zeros?

The port forwarding still seems not to work! I still have to do www.mydmain.com:8080
 
Tim Holloway
Saloon Keeper
Posts: 28323
210
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That's an IPV6 address.

If this message is from your Java server, then you need to look at the JVM command-line options. Some JVMs came up in IPV6-only mode, but we're still mostly an IPV4 world.
 
Joe San
Ranch Hand
Posts: 10198
3
Mac PPC Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:That's an IPV6 address.

If this message is from your Java server, then you need to look at the JVM command-line options. Some JVMs came up in IPV6-only mode, but we're still mostly an IPV4 world.



Aha! But what has that got to do with port forwarding? Understanding this is like unraveling some mystery. I'm enjoying it!
 
Tim Holloway
Saloon Keeper
Posts: 28323
210
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Nothing, as such. You could also forward port 8080 on the IPV6 address, but unless there are other messages in the log, the server isn't listening to anything on the IPV4 port 8080, whether it's forwarded or not.
 
Joe San
Ranch Hand
Posts: 10198
3
Mac PPC Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I added _JAVA_OPTIONS to favor IpV4. I will upload my app shortly and let me see what happens this time!
 
Joe San
Ranch Hand
Posts: 10198
3
Mac PPC Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Java Options seem to work. This is what I did in my .bashrc file:



And when I start my play application server, I see the following which looks good:



But strangely still, I need to do www.mydomain.com:8080. Why is this? Any idea? Is there anything that I'm missing? Here is what the iptables show like:



I appreciate all your help!
 
Tim Holloway
Saloon Keeper
Posts: 28323
210
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Here's an alternate way to forward within an IP address:


You probably also need to open up port 80 in the main INPUT or FORWARD iptable (-j ACCEPT). I put a "-j LOG" rule in at the end of my chain to let me know when the firewall has blocked something.
 
Joe San
Ranch Hand
Posts: 10198
3
Mac PPC Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I will try this tonight and post my findings! Thanks for that!
 
Joe San
Ranch Hand
Posts: 10198
3
Mac PPC Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:
You probably also need to open up port 80 in the main INPUT or FORWARD iptable (-j ACCEPT). I put a "-j LOG" rule in at the end of my chain to let me know when the firewall has blocked something.



How do I do this? Can you please elaborate?
 
Joe San
Ranch Hand
Posts: 10198
3
Mac PPC Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This is what I did and this is what I see now:


It still sort of fails. Should I restart my VM so that these changes take effect? I'm really helpless here. What I also noticed is that when I tried the following URL:

www.mydomain.com:80, I got a page not found, but the URL got redirected to www.mydomain.com. But when I tried www.mydomain.com:9000 or anything else, the url remained the same even after getting a page not found error.
 
Joe San
Ranch Hand
Posts: 10198
3
Mac PPC Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Strangely I went ahead and rebooted my system just to find that all my settings in the iptables are not there anymore. This is what I see after reboot!

 
Joe San
Ranch Hand
Posts: 10198
3
Mac PPC Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
After fiddling around, finally... finally.... I was able to get this setup. I only need to add the following:



and bang it worked! Thank you very much Tim for all the help!
 
Don't count your weasels before they've popped. And now for a mulberry bush related tiny ad:
Gift giving made easy with the permaculture playing cards
https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
reply
    Bookmark Topic Watch Topic
  • New Topic