LocalPort Forwarding

Note: Circa 2008

The best way to have tomcat run on port 80, but not be root, is to use iptables.

One can change the tomcat connector, but since non root processes don’t have access to ports under 1024, nothing will happen. Since iptables is part of the kernel and already running on most servers, it’s a relatively short jump to turn on forward from port 80 to 8080, tomcat’s native port.

The iptables command is:

iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j REDIRECT --to-port 8080

To make this happen with SuSE, you need to tag into the SuSEfirewall2 system ( this is a series of scripts that do all the heavy lifting of iptables in SuSE so you don’t have to)

You could edit the /etc/sysconfig/SuSEfirewall2 config file, but since we already have the iptables command we can simply insert it into the /etc/sysconfig/scripts/SuSEfirewall2-custom config file.

Don’t forget to activate the custom-config file in your main config file. (/etc/sysconfig/SuSEfirewall2 section 25)

My thanks to Ramon Casha whose article the iptables command and idea is pulled from http://linux.org.mt/article/tomcat-ports

Most of the instructions on how to do this are at http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html

However, there are some peculiarities to using the IBM jre as opposed to the sun.

In the tomcat connector, one has to use algorithm=“IbmX509” and sslProtocol=“SSL”

If you don’t use the right algorithm, you’ll see it in your tomcat log. The second item IExplorer doesn’t work with.

As with the port 80 instructions, you’ll need to add a hook in the custom firewall rules (it’s detailed in the other inst)