How add loopback rules on iptables?

I think, for JIRA need loopback redirect fron 443 port to 8443 port

Our iptables config:

# Generated by iptables-save v1.4.21 on Mon Jan 16 15:05:07 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3552794:2931603166]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Jan 16 15:05:07 2017
# Generated by iptables-save v1.4.21 on Mon Jan 16 15:05:07 2017
*nat
:PREROUTING ACCEPT [61:8946]
:INPUT ACCEPT [78:4096]
:OUTPUT ACCEPT [26:1751]
:POSTROUTING ACCEPT [34:2231]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
-A OUTPUT -o lo -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
-A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
COMMIT
# Completed on Mon Jan 16 15:05:07 2017

I think, need add:

A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443

Right?

2 answers

1 accepted

1 vote

Answer accepted

First google gives me this (which looks fine for me):

iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 443 -j REDIRECT --to-ports 8443

I never did such routing so please update us if it works for you.

BTW: why do not you do it more common way by up-fronting JIRA/Confluence with nginx or apache. This looks more natural for me and works without any problem. Plus having SSLs under Tomcat looks kind weird for me.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

PREROUTING: Packets will enter this chain before a routing decision is made.
INPUT: Packet is going to be locally delivered. It does not have anything to do with processes having an opened socket; local delivery is controlled by the "local-delivery" routing table: ip route show table local.
FORWARD: All packets that have been routed and were not for local delivery will traverse this chain.
OUTPUT: Packets sent from the machine itself will be visiting this chain.
POSTROUTING: Routing decision has been made. Packets enter this chain just before handing them off to the hardware.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

correct rule

-A OUTPUT -o lo -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

0 votes

Um. Why?

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Maybe as said Atlassian Support?

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

May be:

Atlassian Support:

I have consulted my senior engineer regarding this issue and here is our findings & suggestion:

Your port-forwarding rule is indeed working but it is only working for requests coming from outside the JIRA Server, for example, your work machine.
However, the port-forwarding rule is not working when request is made from the JIRA server.
We suspect that this is because the ip-tables configuration is not redirected the port 443 to port 8443 as JIRA is listening on port 8443.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

I meant why are you using iptables really.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

What need to use, open the secret, please?

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

I'm not sure. I don't know what your requirements are. Firewalls might be appropriate, but the better answer is usually a proxy. Not always. But it depends on what you're trying to do.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Nic, thanks for answer. but, we use port forwarding. And need use iptables.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

That doesn't explain why you're using it. I use port-forwarding too, but not iptables.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

For port forwarding use rules IP and ports. So, iptables - best logic solution in Linux. And my question wasn't about what is better. Just what add in iptables for loopback redirect from 443 to 8443 port.

I think this

A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443

but, i.m not sure

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

My problem here is that you've broken your system with inappropriate iptables rules, and you're now trying to fix it by adding more.

I do not understand why you've done this.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Obviously, you don't understand computer networks. Don't write, please, if there is nothing to tell.

We have good warning system. My question is very clear.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

working•

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

<sigh> That incorrect because I do know networks well enough to know what you've done wrong. I am merely asking why you think this is a good way to do it, especially as you don't really understand what you're doing. I am trying to work out the reasons behind it - I am sure you have a good one, it's just that I cannot work it out.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

If you think about ours iptables or system are broken, that iptables in the topic and could tell what is broken. But, Atlassian Support has already answered us:

Your port-forwarding rule is indeed working but it is only working for requests coming from outside the JIRA Server, for example, your work machine.
However, the port-forwarding rule is not working when request is made from the JIRA server.
We suspect that this is because the ip-tables configuration is not redirected the port 443 to port 8443 as JIRA is listening on port 8443.

As can you see - it is about the iptables. If you can answer my question - answer. And if not, then it isn't necessary to learn, what is better.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

It's point 3 - that's an incorrect assumption, and shows that you don't know what you're doing with it. Your iptables is blocking or forwarding local connections incorrectly. Any easy check though - turn off iptables and check that it works ok without it.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Our company totals nearly 500 people. If this way has been chosen - means there are reasons. It is not the answer to my question.

Answer honestly: you know this rule or not?

And yes - you don't know, but for some reason write.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

The iptables before you. You can tell what is with her not so. But you can't. Or answer a question, please. Or write nothing. Thanks!

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Viktar you could use:

-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
-A PREROUTING -i lo -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 127.0.0.1:8443
-A OUTPUT -o lo -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443

-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
COMMIT

This should allow it to work externally and internally.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Forums

Product Q&A

Community resources

Support

Top groups

Community resources

Support

Learn

Community resources

Support

Events

Community resources

Support

How add loopback rules on iptables?

2 answers

1 accepted

Suggest an answer

Was this helpful?

Thanks!

TAGS

Community showcase

Atlassian Community Events

Forums

Product Q&A

Community resources

Support

Top groups

Community resources

Support

Learn

Community resources

Support

Events

Community resources

Support

How add loopback rules on iptables?

2 answers

1 accepted

Suggest an answer

Was this helpful?

Thanks!

TAGS

Community showcase

Atlassian Community Events

Welcome to the new Atlassian Community