Skip to main content
ExLibris
  • Subscribe by RSS
  • Ex Libris Knowledge Center

    IP Tables

    Linux 2.4.x and 2.6.x kernels provide the ip_tables packet filter that allows for stateful and stateless packet filtering, NAPT, PAT, and other packet manipulations. Specific rules are grouped into chains, which are also grouped into tables.
    The command-line program iptables allows you to set up, maintain, and inspect the tables, chains, and rules. In the examples below, each solution is presented as a set of iptables commands. For more information, refer to the iptables documentation for your operating system.
    Since these commands must usually be run as the root user, they should be reviewed carefully before execution. In addition, the commands will need to be run every time the server is rebooted. On many systems this can be automated by saving the output of iptables-save in /etc/sysconfig/iptables.

    IP Table Examples

    In the following examples, Primo and the PDS are both installed on a single server called server1 (All-in-One topology). It has an IP address of 10.10.5.5 in which the DNS maps to primo.library.edu. The BO, FE, and PDS use the default ports of 1601, 1701, and 8991, respectively.

    Example 1: Port 80 to Primo FE

    This is the simplest port redirection that consists of the following parts:
    • Redirecting requests on port 80 to port 1701.
    • Ensuring access to ports 80 and 1701.
    • Allowing established connections to continue.
    This solution can also be used to redirect to the BO and PDS.
    # Port Redirection
    iptables –t nat –A OUTPUT –d localhost –p tcp --dport 80 –j REDIRECT --to-ports 1701
    iptables –t nat –A OUTPUT –d 10.10.5.5 –p tcp --dport 80 –j REDIRECT --to-ports 1701
    iptables –t nat –A PREROUTING –d 10.10.5.5 –p tcp --dport 80 –j REDIRECt --to-ports 1701
    # Allow access to ports 80 and 1701
    iptables –A INPUT –p tcp –i eth0 --dport 80 –j ACCEPT
    iptables –A INPUT –p tcp –i eth0 --dport 1701 –j ACCEPT
    # Allow established connections to continue
    iptables –A INPUT –m state --state RELATED,ESTABLISHED –j ACCEPT
    iptables –A OUTPUT –m state --state RELATED,ESTABLISHED –j ACCEPT

    Example 2: Port 80 to Primo FE, Port 443 to PDS

    This port redirection deals with the issue of overlapping services by using PDS with SSL. See the Patron Directory Services Guide for details on setting up PDS to run on port 1443 with SSL.
    In addition, the URLs for the PDS_URL, PDS_INTERNAL_URL, and PDS_Configuration_URL fields on the Primo Home > Advanced Configuration > General Configuration > Installation subsystem page needs to be updated (for example, http://primo.library.edu:8991/pds to https://primo.library.edu/pds).
    # Port Redirection - FE
    iptables –t nat –A OUTPUT –d localhost –p tcp --dport 80 –j REDIRECT --to-ports 1701
    iptables –t nat –A OUTPUT –d 10.10.5.5 –p tcp --dport 80 –j REDIRECT --to-ports 1701
    iptables –t nat –A PREROUTING –d 10.10.5.5 –p tcp --dport 80 –j REDIRECt --to-ports 1701
    # Port Redirection – PDS
    iptables –t nat –A OUTPUT –d localhost –p tcp --dport 443 –j REDIRECT --to-ports 1443
    iptables –t nat –A OUTPUT –d 10.10.5.5 –p tcp --dport 443 –j REDIRECT --to-ports 1443
    iptables –t nat –A PREROUTING –d 10.10.5.5 –p tcp --dport 443 –j REDIRECT --to-ports 1443
    # Allow access to ports 80, 1701, 443, & 1443
    iptables –A INPUT –p tcp –i eth0 --dport 80 –j ACCEPT
    iptables –A INPUT –p tcp –i eth0 --dport 1701 –j ACCEPT
    iptables –A INPUT –p tcp –i eth0 --dport 443 –j ACCEPT
    iptables –A INPUT –p tcp –i eth0 --dport 1443 –j ACCEPT
    # Allow established connections to continue
    iptables –A INPUT –m state --state RELATED,ESTABLISHED –j ACCEPT
    iptables –A OUTPUT –m state --state RELATED,ESTABLISHED –j ACCEPT

    Example 3: Port 80 to Primo FE and PDS

    This port redirection deals with the issue of overlapping services by adding the IP address 10.12.6.6 to server1. A DNS entry is created that maps pds.library.edu to 10.12.6.6.
    In addition, the URLs for the PDS_URL, PDS_INTERNAL_URL, and PDS_Configuration_URL fields on the Primo Home > Advanced Configuration > General Configuration > Installation subsystem page needs to be updated (for example, http://primo.library.edu:8991/pds to http://pds.library.edu/pds).
    # Port Redirection – FE (10.10.5.5)
    iptables –t nat –A OUTPUT –d localhost –p tcp --dport 80 –j REDIRECT --to-ports 1701
    iptables –t nat –A OUTPUT –d 10.10.5.5 –p tcp --dport 80 –j REDIRECT --to-ports 1701
    iptables –t nat –A PREROUTING –d 10.10.5.5 –p tcp --dport 80 –j REDIRECt --to-ports 1701
    # Port Redirection – PDS (10.12.6.6)
    iptables –t nat –A OUTPUT –d 10.12.6.6 –p tcp --dport 80 –j REDIRECT --to-ports 8991
    iptables –t nat –A PREROUTING –d 10.12.6.6 –p tcp --dport 80 –j REDIRECT --to-ports 8991
    # Allow access to ports 80, 1701, & 8991
    iptables –A INPUT –p tcp –i eth0 --dport 80 –j ACCEPT
    iptables –A INPUT –p tcp –i eth0 --dport 1701 –j ACCEPT
    iptables –A INPUT –p tcp –i eth0 --dport 8991 –j ACCEPT
    # Allow established connections to continue
    iptables –A INPUT –m state --state RELATED,ESTABLISHED –j ACCEPT
    iptables –A OUTPUT –m state --state RELATED,ESTABLISHED –j ACCEPT