# IP Forwarding Instructions (Linux) {% hint style="info" %} Test Data Orchestrator (TDO) has been re-branded to Wayfinder as of Q1 2026. These documents are currently being re-written to reflect that change. Test Data Orchestrator / TDO / Wayfinder all refer to the same product throughout these documents. {% endhint %} ## Linux/Unix Port Configuration Guide Wayfinder (TDO) runs on port 8080/8443. The typical http/https server configuration for Linux/Unix (\*nix) servers is port 80/443. These ports are considered privileged on Unix/Linux systems and processes using them must be owned by the root; i.e., they must have root privileges. Running Wayfinder (TDO) as root is not recommended. It should be run as its own user on the Unix/Linux server. There are two solutions that will allow for forwarding traffic from port 80/443 to 8080/8443: · Use iptables in Linux to forward traffic from port 80/443 to 8080/8443. · Use a proxy server (such as Apache) to act as the front-end server for Wayfinder (TDO) and forward proxy requests. While we generally recommend the first option as being lower cost and requiring less maintenance overhead, the option you select should align with your organization’s security policy and enterprise architecture standards. ## Running Wayfinder (TDO) on port 80 or 443 using iptables port forwarding (\*nix systems only) ### Prerequisites to forwarding The information provided below is generic; if you are not familiar with using the iptables command in your version of Unix/Linux you should refer to the appropriate documentation for further information. \[For example, for RHEL you would refer to [Sysadmin tools: How to use iptables | Enable Sysadmin (redhat.com)](https://www.redhat.com/sysadmin/iptables)] The first step is to confirm that traffic is enabled on all four of these ports using the command below to view your current iptables configuration. iptables -L -n This command will return the full iptables configuration. In the output you should see rules for all four ports (80, 8080, 443, and 8443) in the ‘ACCEPT’ section. A sample output is shown below. |

Chain INPUT (policy ACCEPT) target prot opt source destination

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED, ESTABLISHED

ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22

REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT) target prot opt source destination

REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT) target prot opt source destination target prot opt source

| | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | If you don't see entries for all four ports, then you need to run commands (as root or with sudo) to add those ports. The following commands would be used to add all four ports using sudo; only run commands for the ports you need to enable. sudo iptables -I INPUT 1 -p tcp --dport 8443 -j ACCEPT sudo iptables -I INPUT 1 -p tcp --dport 8080 -j ACCEPT sudo iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT sudo iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT The command to add the ports to the table can be used with the -I or -A option before the INPUT statement. It is recommended that you use ‘-I INPUT 1’ instead of ‘-A INPUT’. The -I option will insert the new rule as the first entry in the iptables file, while the -A option will append the new rule to the end of the table. Having heavily used rules at the top of the table is more efficient. Run *iptables -L -n* again and you should now see entries for these 4 ports. ### Forwarding to 8080/8443 With traffic on the ports allowed, you can run the command to forward port 80 traffic to 8080, and port 443 traffic to 8443. The commands are shown below. sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT -to-port 8080 sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT -to-port 8443 Verify the forwarding rules by running the *iptables -L -n* command again. ### Saving iptables configuration The commands shown above only changed current, in-memory configuration. It does not persist between restarts of the iptables service. To make the changes permanent you will need to update the *iptables* configuration. Saving the configuration is slightly different between RedHat-based and Debian-based systems. On a RedHat-based system (Fedora, CentOS, RHEL, etc), issue the following command: sudo iptables-save > /etc/sysconfig/iptables On a Debian-based system (Debian, Ubuntu, Mint, etc), issue the following command: sudo sh -c "iptables-save > /etc/iptables.rules" The final action you will need to take will be to configure your server to automatically run the ‘iptables-restore’ command on system reboot. If you do not take this step, you will need to run the command manually after each reboot and Wayfinder (TDO) will not run until this is done. This command may vary depending on your specific Unix/Linux software; you should confirm against your system manuals to ensure that you configure this correctly. ### Validating the forwarding changes Once Wayfinder (TDO) is installed, attempt to access your instance on port 80. Your URL should stay on port 80, and forward in the background. The fact that the server is forwarding from 80 to 8080 (or 443 to 8443) should remain hidden from the end user. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.apica.io/platform-docs/test-data-orchestrator-tdo/technical-guides/ip-forwarding-instructions-linux.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.