I'm running a DigitalOcean Centos 6 VPS. Here's the script I used to set up iptables on Centos 6.4 64-bit:
#!/bin/sh
service iptables stop
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8181
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables-save > /etc/sysconfig/iptables
service iptables restart
I opens ports 22, 80 and 443 only, redirecting 80 and 443 internally to 8080 and 8181 respectively.
Due to a bug/quirk in GlassFish, I had to add the machine's hostname to /etc/hosts:
127.0.0.1 localhost
127.0.0.1 example.com
Without the NAT rules in the iptables configuration, I am able to reach the GlassFish server via my browser at home when attempting to connect either via port 8080 or 8181. With the NAT rules added, I cannot reach the server at all, neither via 80 and 443 nor via 8080 and 8181.
Do I need to make a change to any of the iptables rules to factor in that extra line in /etc/hosts?
Update:
If I remove the last rule, iptables -P INPUT DROP, I can now access the server via a browser using ports 80/443 and 8080/8181. This indicate the forwarding is working.
The short answer is NO, No you don't.
The longer answer is that /etc/hosts is there to assist the networking stack resolver. The resolver is the part of the IP stack (TCP/IP v4 and v6) that is responsible for converting friendly names, such as mybigserver, to an IP address, such as 172.16.0.1.
In your post you are showing us a script and the script is running IPTable commands.
The script is using the PREROUTING chain to do NAT but you state in your question that you are unable to reach "GlassFish" server via the browser.....
If the answer to #1 is another host connected to the same switch as your Linux ETH0, then the problem is you need to change your NAT rules to use the POSTROUTING chain. The reason being you want to NAT the outbound connection. What you have setup is PAT (Port Address Translation).
If this is your setup [Your Browser]------[network switch]-----[ETH0 Linux ETH1]-----{Public Internet]
Then replace these lines
with:
If this resolves your issue, then you can fine tune that POSTROUTING rule to use a range of ports and/or a specific ETH1 IP if it's multi-homed.
Short answer
You don't ACCEPT packets to either 8080 or 8181 in your rules!
Longer answer
This is because your rules work, and thereby forward 80 and 443 to 8080 and 8181! But you forgot to also ACCEPT connections to those! Which is why all of them are rejected!
Should make sense now:
Without the last line you have the default of ACCEPT instead of DROP so of course it works then.
Solution
Add following two rules ...
... and it should work with the default INPUT DROP line (Port 80 >> Port 8080 >> ACCEPT (rule)).