IP address specific port 80 to port of your choice NAT iptables rules

Corporate firewalls can be a pain, you could well drown in a sea of red tape and meetings just to route traffic across any port but port 80 and 443. In this post we avoid swimming upstream, and go with the port 80 and 443 flow in a system level quality assurance testing scenario with a simple iptables  rules.

Before we get onto the iptables rules, here is the exact scenario to give this post context.

  1. We have a system under test, which has a public IP address, and a remote test server which also happens to have a public IP address.
  2. The system under test accepts REST calls on port 443, that is we are dealing with HTTPS traffic.
  3. The system under test, in response to REST calls, will fire asynchronous REST callbacks to our remote test server, so we are dealing with bi-directional communication.
  4. A corporate firewall dictates that the asynchronous REST callbacks can only happen on port 80 or on port 443.
  5. Our remote test server already has a service running on port 80, so our HTTP listener, that waits for incoming REST callbacks, will have to run on another available port, say 8009.

So, here is the configuration that we will have to do on our test server.

# For a manual check of the rule below, run $sudo nc -l -v 8009 then ssh into the remote host (303.66.500.90) and execute $nc -v -z 55.333.536.4
iptables -t nat -I PREROUTING 1 -p tcp -s 303.66.500.90 --dport 80 -j REDIRECT --to-port 8009

Please note that the IP addresses where randomly generated. The rule above means that on our test server (with mentioned IP address 55.333.536.4), we’ll route traffic from our system under test (with IP address 303.66.500.90) on port 80 to port 8009. Presumably our test HTTP listener will be listening on port 8009.

Thats it, its working for me, hope it does for you too.

Ubuntu 12.04 Jenkins Configuration – Quick & Private

This post is concerned with getting Jenkins going on your public server as quickly as possible whilst keeping things private.

$ sudo apt-get install jenkins

If we have a service running on port 8080 Jenkins won’t start.

$ sudo tail /var/log/jenkins/jenkins.log

In such a case, lets change the port, and we’ll do so in the config file.

$ sudo nano /etc/default/jenkins

If this is a public server, lets add in authentication, and we’ll take the quick route by adding the following to the end of the JENKINS_ARGS (naturally change the password to suit):

–argumentsRealm.passwd.admin=topsecret –argumentsRealm.roles.admin=admin

The configuration up to this point is not enough when it comes to a public web server, since the world at large can still see our main Jenkins page, but its a start, since at the very least we have administrative control. We would still want to run our service over https and add http basic authentication, with the latter entailing fronting Jenkins with Apache and configuring an AJP connector between Jenkins and Apache.

If you are in  rush though, or just don’t want to install and administer Apache, you can use matrix-based security to disable read privileges for anonymous users, it is easy to lock out your sole admin user if you do this though, and if you do (as I did), you’ll have to shutdown Jenkins, edit /var/lib/jenkins/config.xml and in false in <useSecurity>true</useSecurity> and start it up again. All you’ll have to do is to follow the instructions on this page for matrix-based security exactly (the sign up step seems odd, but it seems necessary). After you have signed up, disable read access for the Anonymous user and you are good to go.

Upgrading

/usr/share/jenkins$ sudo service jenkins stop

/usr/share/jenkins$ sudo mv jenkins.war jenkins_old.war

/usr/share/jenkins$ sudo wget http://updates.jenkins-ci.org/download/war/1.480.3/jenkins.war

/usr/share/jenkins$ service jenkins start