Cybersecurity
DevOps Cloud (ADM)
IT Operations Cloud
In the Access Manager documentation the Port Redirection script works only for SUSE. I have modified the script and added a few more steps to run it on Redhat 7.x, which is using systemd. Follow the steps below:
# vi /etc/init.d/AM_IDP_Redirect
Paste the following Script, make changes in INTF and ADDR. Get the details using /sbin/ifconfig command:
#! /bin/sh
#! /etc/init.d/AM_IDP_Redirect
# ### BEGIN INIT INFO
# chkconfig: 345 99 76
# Provides: idp_8443_redirect
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 5
# Default-Stop: 0 1 6
# Description: Redirect 8443 to 443 for Novell IDP
### END INIT INFO #
# Environment-specific variables.
IPT_BIN=/usr/sbin/iptables
INTF=ens33
ADDR=172.17.5.170
#. /etc/rc.status
# First reset status of this service
#rc_reset
case "$1" in
start)
echo -n "Starting IP Port redirection"
$IPT_BIN -t nat --flush
$IPT_BIN -t nat -A PREROUTING -i $INTF -p tcp --dport 80 -j DNAT --to ${ADDR}:8080
$IPT_BIN -t nat -A PREROUTING -i $INTF -p tcp --dport 443 -j DNAT --to ${ADDR}:8443
$IPT_BIN -t nat -A OUTPUT -p tcp -d $ADDR --dport 443 -j DNAT --to ${ADDR}:8443
$IPT_BIN -t nat -A OUTPUT -p tcp -d $ADDR --dport 80 -j DNAT --to ${ADDR}:8080
#rc_status -v
;;
stop)
echo -n "Flushing all IP Port redirection rules"
$IPT_BIN -t nat --flush
#rc_status -v
;;
restart)
echo -n "Restarting the Port redirection script"
$0 stop
$0 start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
;;
esac
#rc_exit
Make the script executable using the command below:
# chmod x /etc/init.d/AM_IDP_Redirect
Create a Service:
# vi /etc/systemd/system/AM_IDP_Redirect.service
Create and paste the script below and save it.
[Unit]
Description=IDP Port Redirect
After=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/etc/init.d/AM_IDP_Redirect start
ExecRestart=/etc/init.d/AM_IDP_Redirect restart
ExecStop=/etc/init.d/AM_IDP_Redirect stop
TimeoutStartSec=0
[Install]
WantedBy=multiuser.target
Reinitialize the systemd by using:
# systemctl daemon-reload
Enable the AM_IDP_Redirect script to load, run the command below:
# systemctl enable AM_IDP_Redirect
Created symlink from /etc/systemd/system/multiuser.target.wants/AM_IDP_Redirect.service to /etc/systemd/system/AM_IDP_Redirect.service.
Start the Service:
# systemctl start AM_IDP_Redirect
Verify using:
# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 18 packets, 1296 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- ens33 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:172.17.5.170:8080
0 0 DNAT tcp -- ens33 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:172.17.5.170:8443
Chain INPUT (policy ACCEPT 18 packets, 1296 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4034 packets, 245K bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 172.17.5.170 tcp dpt:443 to:172.17.5.170:8443
0 0 DNAT tcp -- * * 0.0.0.0/0 172.17.5.170 tcp dpt:80 to:172.17.5.170:8080
Reboot the server and then test using the above iptables command, you should get the same result.
Standard systemctl commands will also work:
As a fall-back you can also use the commands below:
For troubleshooting check the logs in /var/log/messages.
Ref: https://www.netiq.com/documentation/access-manager-44/install_upgrade/data/b6fyxpk.html#redirectscript