persist port routing from 80 to 8080

Question

I use amazon EC2 instance which works via ubuntu. By default according security restrictions I can't bin my application to port 80, so I just bind it port 8080 and then set routing redirect from port 80 to 8080 via the following command:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to 8080

But I found that when I reboot the server this settings no longer active untill I invoke this command again.

So my question is how to enable port's redirect work even if system was rebooted?

score 20 · Accepted Answer · answered Feb 28 '14 at 17:17

20

You can add this command in /etc/rc.local , so it will be executed automatically after reboot .

answered Feb 28 '14 at 17:17

nux

37,371
34
117
131

Already did that, but still thanks for the answer – Ph0en1x Feb 28 '14 at 17:29
welcome my friend , thats a good trick – nux Feb 28 '14 at 17:29
2

This works, but the real answer is @MeOMy's answer below. – Dirk Groeneveld Sep 11 '15 at 05:22

score 16 · Answer 2 · edited Aug 26 '20 at 18:30

16

Use the iptables-save command instead.

Firewall rules should never go into rc.local script. rc.local is the last thing to be executed. If a block rule has been placed into rc.local there is a small time frame where an attacker can exploit a rule not being in place.

While it probably doesn't matter with this situation, it is still best to not get into a bad habit that may bite you later.

edited Aug 26 '20 at 18:30

Zanna

69,223
56
216
327

answered Apr 29 '15 at 17:54

MeOMy

161
1
3

2

ran "sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to 8080" and "sudo iptables-save". But routing was reset on reboot. Did I misunderstand how to do this? – birgersp Apr 11 '16 at 09:25
3

The answer is incomplete. `iptables-save > some-file-path` saves the rules, and then you would restore them via `iptables-restore < some-file-path` in `rc.local`. Or install `iptables-persistent` which does this during boot as a service. – Thomas Ward Nov 19 '16 at 22:45
1

I'd like to understand how to do this. Be more specific, please – birgersp Aug 05 '18 at 16:42

score 6 · Answer 3 · edited Aug 26 '20 at 18:29

6

Here is how the official iptables' documentation teaches us. See here

Add these two lines in /etc/network/interfaces:

pre-up iptables-restore < /etc/iptables.rules
post-down iptables-save > /etc/iptables.rules

The line post-down iptables-save > /etc/iptables.rules will save the rules to be used on the next boot.

edited Aug 26 '20 at 18:29

Zanna

69,223
56
216
327

answered Nov 19 '16 at 16:55

Stavarengo

161
1
2

Kudos for using the officially recommended method and, in this case, simplest method, to complete this task. I'd +2 if I could for using the KISS method. – DeeJayh Mar 17 '17 at 19:13

score 0 · Answer 4 · answered Apr 06 '17 at 21:18

I discovered a set of directories on Ubuntu 16.04 in /etc/network that will run scripts at various times during network initialization and shutdown:

if-down.d
if-post-down.d  
if-pre-up.d  
if-up.d
interfaces.d

So I found that I could dump the configuration as usual:

$ sudo sh -c "iptables-save > /etc/iptables.rules"

Then I created a file `/etc/network/if-pre-up.d/restore:

#!/bin/sh

iptables-restore < /etc/iptables.rules

... and flagged it executable

$ sudo chmod 755 /etc/network/if-pre-up.d/restore

persist port routing from 80 to 8080

4 Answers4

Linked