IPTABLES Redirect HTTP traffic to different port on same interface....

Hi everyone,

Been trying a few options today to achieve my goal and getting half of the solution working at one time or another.

Goal: Primary goal is to setup IPTABLES rules that will have all HTTP traffic coming in a port 44088 on eth0 and redirect to Port 80 on the same server interface of eth0. Secondary goal is to ensure any traffic sent to port 80 that is not from the redirect of port 44088 to be dropped unless it is from source IP Address of Last request is want to ensure that return HTTP traffic does not indicate it is coming from port 80.

Environment: Using CentOS 6.6 with latest version of Apache.

Thank you for the help in advance.
LVL 12
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

what is the destination of the port 80 traffic?
The redirect does not alter the source as the responses will be sent to itself.

You need to use packet tagging/marking


I do not see what you are trying to do.

Internet eth0 linux ?

Are you trying to handle/restrict proxy requests from inside your lan?
Joel_SiskoAuthor Commented:
Hi Arnold,

I would like to install Apache and have it listen on port 80 as the default installation provides this. I do not want my users to connect directly to port 80, I would like my users HTTP traffic to connect to the server IP using port 44088, any traffic received (assume only HTTP) on port 44088 gets redirected[proxy] to port 80 that Apache is listening on.

However I want to make sure any HTTP traffic directly to port 80 is dropped.

Hope the above clarifies my end goal, how we get there I leave up to the experts.

I have tried a few rules but can get one item working or another, though part of the issue I suspect is I am not approaching this the right way and probably overcomplicating a bit and or not understanding the best approach.

Thanks for the help.

The puzzling thing it makes no sense what you are trying to achieve?
Usually different ports are default the off port you want to use might be denied on the user side.

Configure Apache to listen on the port you want and be done with it.
You have a walkway, and a front door. What you are asking is to put a block on the walkway from direct access, but setup a side route if used will allow the person access to the walkway.
Exploring ASP.NET Core: Fundamentals

Learn to build web apps and services, IoT apps, and mobile backends by covering the fundamentals of ASP.NET Core and  exploring the core foundations for app libraries.

Joel_SiskoAuthor Commented:
Hi Arnold,

Actually makes perfect sense based on my need. As stated earlier I prefer not to change the default port on Apache for a few reasons, one being not having to change the default Apache configuration. Another is that I can stop the flow of traffic via IPtables without turning off and modifying yet another config file , in this case Apache configurations. Third I can stop inbound traffic from the Internet, yet still provide internal access to Apache for various reasons.

The --to-port 80 is the directive you will use on the input side, while on the forwarding/prerouting you

Could you provide context to tge network flow

Internet <=> router/firewall <=> LAN

The issue is that marking the packet hitting the 44088 port and then have an allow dstport 80 contingent on the mark of the packet.

If the system in question has two nice, you could apply different rules based on the NIC/interface on which the request comes in
-i eth0 wan
-i eth1 LAN
Joel_SiskoAuthor Commented:
Single NIC (eth0)

Internet traffic from customers being sent to my.public.Ip.Address:44088 which is configured for eth0 ==> Send this traffic to Port 80 on eth0 which Apache is listening on.

Admin traffic from my IP address lets say is allowed to connect to port 80 on eth0 , all other source ip's traffic to port 80 are dropped
Joel_SiskoAuthor Commented:
BTW this is what I was trying and was able to route the traffic from 44088 to 80

iptables -t nat -A PREROUTING -p tcp --dport 44088 -j REDIRECT --to-ports 80

However I could not drop the port 80 traffic as I was hoping. So that is where I was getting stuck

You can not do a simple redirect in your scenario as I tried to explain.

the redirect simply resends the packet back through the iptables rules with the new destination port. In this case, your deny rule will apply.

You have to first, mark the packet entering on port 44088
Changing the configuration of apache is the straight forward thing to do and this is why the configuration files are modifiable and are not cast in stone.

first, you would do
iptables -I INPUT 4 -p tcp --dport 80 -src -J ACCEPT
iptables -i INPUT 5 -p tcp --dport 80 -j logdeny
iptables -I INPUT 6 -p tcp --dport 44088 -J ACCEPT

iptables -t nat -A PREROUTING -p tcp --dport 44088 -j REDIRECT --to-ports 80
iptables -t nat -A FORWARD -p tcp --dport 80 -j ACCEPT

the input will only allow port 80 traffic from the source to enter
the prerouting/forward will reroute and allow packets entering to get to the apache server.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.