Differences between version 4 and predecessor to the previous major change of PortForwarding.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
Newer page: | version 4 | Last edited on Saturday, June 3, 2006 7:48:27 am | by AristotlePagaltzis | Revert |
Older page: | version 3 | Last edited on Saturday, September 11, 2004 3:22:57 pm | by CraigBox | Revert |
@@ -1,22 +1,12 @@
-After asking PerryLorier about allowing
a user
process to bind to port 80, the response
that he and JohnMcPherson gave didn't leave me feeling all too inspired about achieving the task without stress and fatigue.%%%
-%%%
-<Bryin> Isomer: Do you know how
to let user processes bind to ports <
1024%%%
-<@Isomer> Bryin: run
as root?%%%
-<@Isomer> or give them cap_net IIRC%%%
-<kinko> Bryin: only root can... normally your program
is setuid root, and after binding
to the port
it immediately changes
to nobody or
some other normal user%%%
-<@Isomer> Bryin:
the answer is, normally it doesn't work very well at all
.%%%
-<@Isomer> as root you can give yourself the cap_net_bind privilege
, then change user, keeping that privilege%%%
-<Bryin> I'll wiki
this when I find a tidy solution%%%
+If you want to be able to run
a process that responds
to requests on a [Port] below
1024 without running it
as the SuperUser, a simple approach
is to have
it bind
to some port above 1024, then configure a lower layer in
the NetworkStack to do the legwork
. On [Linux]
, a convenient way to achieve
this is by using iptables(8):
-After this dialogue on the [IRC] channel of [#wlug], I proceeded to think about cats and skinning. I then realised, "There is another solution!".
-I had decided I was going to make the application (a [Java] server) bind
to port 8080 and get the OperatingSystem to perform the legwork.
+<pre>
+iptables --table nat -A PREROUTING -p tcp --dport <i>$external_port</i> -i eth0 -j REDIRECT --
to-ports <i>$local_
port</i>
+</pre>
-Thankfully this turned out
to be much easier than I expected
.
+This way, you could have a process bind
to port 8080 locally, but have it appear to outsiders as though it was listening on port 80
.
-I configured the port forwarding with the command below
(replacing content between the angled brackets with the appropriate port numbers)
- iptables --table nat -A PREROUTING -p tcp --dport
<incoming port
> -i eth0 -j REDIRECT --to-ports
<local port
>
+(Don’t forget to issue something like
<tt
>/etc/init.d/iptables save
</tt
> so this configuration won’t be lost on reboot.)
-Then I saved the configuration so that things work after, heaven forbid, a reboot!
- /etc/init.d/iptables save
----
UserSubmittedNotes