Diff: PortForwarding - Waikato Linux Users Group

Differences between version 4 and predecessor to the previous major change of PortForwarding.

Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History

Newer page:	version 4	Last edited on Saturday, June 3, 2006 7:48:27 am	by AristotlePagaltzis	Revert
Older page:	version 3	Last edited on Saturday, September 11, 2004 3:22:57 pm	by CraigBox	Revert

@@ -1,22 +1,12 @@

-~~After asking PerryLorier about allowing~~ a ~~user~~ process ~~to bind to port 80, the response~~ that ~~he and JohnMcPherson gave didn't leave me feeling all too inspired about achieving the task without stress and fatigue.%%%~~

-~~%%%~~

-~~<Bryin> Isomer: Do you know how~~ to ~~let user processes bind to ports <~~ 1024~~%%%~~

-~~<@Isomer> Bryin: run~~ as ~~root?%%%~~

-~~<@Isomer> or give them cap_net IIRC%%%~~

-~~<kinko> Bryin: only root can... normally your program~~ is ~~setuid root, and after binding~~ to ~~the port~~ it ~~immediately changes~~ to ~~nobody or~~ some ~~other normal user%%%~~

-~~<@Isomer> Bryin:~~ the ~~answer is, normally it doesn't work very well at all~~ .~~%%%~~

-~~<@Isomer> as root you can give yourself the cap_net_bind privilege~~ , ~~then change user, keeping that privilege%%%~~

-~~<Bryin> I'll wiki~~ this ~~when I find a tidy solution%%%~~

+If you want to be able to run a process that responds to requests on a [Port] below 1024 without running it as the SuperUser, a simple approach is to have it bind to some port above 1024, then configure a lower layer in the NetworkStack to do the legwork . On [Linux] , a convenient way to achieve this is by using iptables(8):

-~~After this dialogue on the [IRC] channel of [#wlug], I proceeded to think about cats and skinning. I then realised, "There is another solution!".~~

-~~I had decided I was going to make the application (a [Java] server) bind~~ to port ~~8080 and get the OperatingSystem to perform the legwork.~~

+<pre>

+iptables --table nat -A PREROUTING -p tcp --dport <i>$external_port</i> -i eth0 -j REDIRECT -- to-ports <i>$local_ port</i>

+</pre>

-~~Thankfully this turned out~~ to ~~be much easier than I expected~~ .

+This way, you could have a process bind to port 8080 locally, but have it appear to outsiders as though it was listening on port 80 .

-~~I configured the port forwarding with the command below~~ (~~replacing content between the angled brackets with the appropriate port numbers)~~

- ~~iptables --table nat -A PREROUTING -p tcp --dport~~ <~~incoming port~~ > ~~-i eth0 -j REDIRECT --to-ports~~ <~~local port~~ >

+(Don’t forget to issue something like <tt >/etc/init.d/iptables save </tt > so this configuration won’t be lost on reboot.)

-~~Then I saved the configuration so that things work after, heaven forbid, a reboot!~~

- ~~/etc/init.d/iptables save~~

----

UserSubmittedNotes