I am using iptables redirection to make a Tomcat on RHEL7 accessible on port 443 (for https traffic) as described here. The important rules should be those three:
iptables -A INPUT -p tcp --dport 443 -i eth3 -j ACCEPT
iptables -A INPUT -p tcp --dport 8443 -i eth3 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp --dport 443 -j REDIRECT --to-port 8443
iptables -A INPUT -m state --state ESTABLISHED,RELATED -i eth3 -j ACCEPT
# Drop all other incoming packets on the interface eth3
iptables -A INPUT -i eth3 -j DROP
So what I do not understand is why I need the rule to open port 8443 to the outside? When I close it and only open 443, it does not work. To my understanding the redirection should happen internally, doesn't it? Or can this be somehow configured differently?
Remark: eth3 is the one interface I actually do need to protect. There are others as well, but those are only internal ones.
I think I just figured it out myself: The pre-routing apparently happens before the actual accept/drop rules are being hit. Hence, the request is redirected from 443 to 8443 and the rules are only applied to the redirected traffic. Thus, I do not have to open port 443 with an accept rule. The redirect seems to "open" it anyway. So the first rule (accept 443) can be omitted.
I don't use Tomcat, but have you checked your Tomcat's port in the server.xml file? When I read at http://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File it looks like may use port 8443 as standard. EDIT It is a connector port, not an internal redirection.