0

I have a VPS which is accessible via hello.com, running ubuntu and a minimal Python script that serves some html content. The python script is listening on port 8069. hello.com:8069 works as expected, but I also need to access the Python script from port hello.com:80.

I've done some research, and apparently listening on ports under 1000 is only possible with root, which isn't an option for security reasons. The only real solution I've found is iptables port redirecting.

I've attempted to set up a REDIRECT rule in the nat table, but visiting hello.com:80 still gives me a timeout error.

Here's my /etc/iptables/rules.v4

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8069
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp --dport 22-j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8069 -j ACCEPT
COMMIT

I've follow a few guides, and set net.ipv4.conf.eth0.forwarding=1 and net.ipv4.ip_forward=1. Is there something I'm missing?

Server details:

root@hello.com:/# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 14.04.3 LTS
Release:        14.04
Codename:       trusty

root@hello.com:/# iptables -V
iptables v1.4.21

root@hello.com:/# ufw version
ufw 0.34~rc-0ubuntu2
Copyright 2008-2012 Canonical Ltd.

root@hello.com:/# netstat -i
Kernel Interface table
Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0       1500 0      2067      0      0 0          1879      0      0      0 BMRU
lo        65536 0       637      0      0 0           637      0      0      0 LRU
Ryan Cole
  • 1
  • 1
  • 1
    This is pretty basic but... did you apply your new rule? what's the output of `iptables -S` and/or `iptables -L`? – stoned Oct 12 '15 at 00:34
  • I've done a `/etc/init.d/iptables-persistent reload`, and rebooted with no luck :-( [here's the output of iptables -S](http://pastebin.com/i5wrrXSU) – Ryan Cole Oct 12 '15 at 00:38
  • the rule looks fine, you're not testing from the very machine with the rule applied, right? – stoned Oct 12 '15 at 01:05
  • nope testing from my home pc. could it be a SELinux flag or something like that? – Ryan Cole Oct 12 '15 at 01:11
  • selinux? your box looks like a debian/ubuntu one to me, correct? Have you checked that your VPS provides doesn't setup an extra firewall? – stoned Oct 12 '15 at 10:57
  • Turns out I was approaching this from the wrong direction - we ended up using Nginx to reverse proxy `0.0.0.0:80` -> `localhost:8069` – Ryan Cole Aug 09 '17 at 02:36

0 Answers0