Using iptables to map privilaged to non-privilaged port - apache

I have an apache webservice running on port 8080 but would like to be able to connect on port 80. However, my unix sysadmin does not allow apache to be started as root nor does she provide access to sudo.
However, she will execute commands on request.
I believe this can be achieved with iptables. Is there a way to map port 80 to 8080 and 443 to 8083 without this sysadmin having to edit any files.
i.e. just using echo with appender >>.

She can do this by running :
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8083
This will make redirection active immediately, but doesn't save it and thus it will not work anymore after a reboot.
It is possible to do this without editing any file at all by using iptables-save. But it depends which linux flavor you're running, and if you use ferm, ufw, or some other firewall management tools.
On RedHat/CentOS, she could just do :
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8083
iptables-save > /etc/sysconfig/iptables
On other OSes variants, YMMV !

Related

UFW port forwarding does not work with my coturn set up

I am trying to receive data on port 443 and forward that to my coturn server listening to port 5349.
I want this set up so that my webRTC app can connect over 443 but without my coturn server having root access(for privilege port 443).
In my /etc/ufw/before.rules I have below entries
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 5349
COMMIT
When I test my turn setup at https://test.webrtc.org/ using 443 port I get:
Udp disabled
Relay connectivity timed out
Reflexive connectivity timed out
But using using port 5349 it seems to work.
I have all needed ports open in ufw. I tried with ufw disabled too.
Do I need to add any other changes for port forwarding like adding entry OUTPUT(which I don't know how to add, though).
Do I need to add the rule entry for IPv6 too (/etc/ufw/before6.rules)?
I added these to the before.rules file
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 5349
-A PREROUTING -p udp --dport 443 -j REDIRECT --to-port 5349
:OUTPUT ACCEPT [0:0]
-A OUTPUT -o lo -p tcp --dport 443 -j REDIRECT --to-port 5349
-A OUTPUT -o lo -p udp --dport 443 -j REDIRECT --to-port 5349
COMMIT
I am not sure if it is ok. But at the moment this seems to work. I am still open for suggestion. Please give me suggestions to improve what I have done so far

SSLStrip + Mitmdump are not working together

I am trying to run Mitmdump and the Sslstrip2 together but they are not working together.
Whereas they're both need to listen port 80, I forwarded both applications to unic ports, like following ;
For SSLStrip preperation-->
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 9090
For Mitmdump preperation -->
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
--Then I activated both of those applications ;
#Arp poisoning is active in this proccess.
1-) python sslstrip.py -l 9090 #Set this up to 9090, because following mitmdump listeneris default of 8080.
2-) ./mitmdump --mode transparent --modify-body :~s:"":"alert("hi");"
Problem is, they work seperately, but while co-execution just one of them working.
I need to be able to use mitmdump while hsts, https is hijacked successfully.

SSH tunnel <--> iptables NAT port forwarding - HOWTO?

I need to set up access to the HTTP(S) servers on devices like KVMs and PDUs on a private network (192.168.0.0/24). I must get through an isolated network (10.0.0.0/8) limited to ports 22 and 443. I have a dual-NIC Linux server inside the network that serves as a gateway to the private network. See diagram Here:
Network Diagram
I need to use a forward SSH tunnel to get to the Linux gateway, then use iptables NAT to route HTTP(s) traffic to the web frontends on the devices.
I've observed with both tcpdump and iptables trace that the inbound HTTP(s) request through the SSH tunnel shows up on interface lo , not eth1 as one might expect.
This has led me to come up with the following nat and filter rules:
*nat
-A PREROUTING -i lo -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.100:80
-A PREROUTING -i lo -p tcp -m tcp --dport 8081 -j DNAT --to-destination 192.168.0.101:443
-A POSTROUTING -d 10.0.0.0/8 -o lo -j SNAT --to-source <10.gateway_IP>
COMMIT
*filter
:INPUT ACCEPT [37234:5557621]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [26648:27864039]
-A FORWARD -d 192.168.0.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.0.0/24 -p tcp -m tcp --dport 443 -j ACCEPT
COMMIT
So, when I set up the tunnel with:
ssh -L 8080:<gateway>:8080 <user>:#<gateway>
Then making sure on the gateway:
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
and then execute http://localhost:8080,
The packets make it out of the tunnel onto the gateway, out of interface lo, but iptables doesn't seem to forward it to the destination in the PREROUTING rule. stderr from the tunnel returns "Connection refused."
What am I missing?

Port is not being redirected when it is active from 8080 to 80

I am using glassfish and apache2 server I've used below commands
1) sudo iptables -A INPUT -i enp1s0 -p tcp --dport 80 -j ACCEPT
2) sudo iptables -A INPUT -i enp1s0 -p tcp --dport 8080 -j ACCEPT
3) sudo iptables -A PREROUTING -t nat -i enp1s0 -p tcp --dport 80 -j REDIRECT --to-port 8080
4) sudo iptables -t nat -A OUTPUT -o lo -p tcp --dport 80800 -j REDIRECT --to-port 80
But the problem is when glassfish is stopped i am able to redirect localhost:8080 to 80 port but when glassfish is started it doesn't redirect to 80 port
Thanks in advance
4) sudo iptables -t nat -A OUTPUT -o lo -p tcp --dport 80800 -j REDIRECT --to-port 80
The port number is wrong here. It should be 8080

Iptables rules - white list ips

My centos server has an iptables rule.
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 50 -j REJECT --reject-with tcp-reset
this code is doing the work like firewall but I don't want to block of my server ips.
my server ips:
"127.0.0.1", "my server ip1", "my server ip2", etc.
How do I get them out of this ip tables rule?
Thank you very much!
Just use :
# Loopback
iptables -I INPUT -s 127.0.0.1 -i lo -j ACCEPT
# Repeat for each SERVER_IP
iptables -I INPUT -s SERVER_IP -j ACCEPT
Note that this will open everything for SERVER_IPs. YMMV depending on want you want to allow.
For instance, if you just want to open HTTP port for those IPs :
# Loopback
iptables -I INPUT -s 127.0.0.1 -i lo -j ACCEPT
# Repeat for each SERVER_IP
iptables -I INPUT -s SERVER_IP -p tcp --dport 80 -j ACCEPT