Here's a quick tutorial on how to make unprivileged programs listen on privileged ports. The trick here is to make the unprivileged program to listen on an unprivileged port and redirect the privileged port to the unprivileged through iptables.

Here's a concrete example. Let's say you want to run a web server (on port 80) but don't want to run it as root as it has security implications. What you do instead is run your web server on port 8080 (or any other unprivileged port) and redirect port 80 to 8080 with iptables.

You'll need at least 2 iptables rules to set it up. The first rule will redirect all incoming traffic on all public interfaces from port 80 to port 8080:

iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-port 8080

The second rule will redirect all localhost traffic from port 80 to port 8080:

iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080

You might also need a third rule that will redirect all localhost traffic directed to the public IP (or hostname) of the service:

iptables -t nat -I OUTPUT -p tcp -d hostname.com --dport 80 -j REDIRECT --to-ports 8080

If you're unfamiliar with iptables, see the the frozen tux iptables tutorial. It's the best iptables tutorial out there.

Comments

Bob Permalink
October 27, 2013, 23:53

This is cool but I don't have iptables. How can you do this with pf or ipfw?

Klickback Permalink
October 28, 2013, 06:21

@Bob: With pf on FreeBSD, I use something like this:

# Let's assume your public-facing interface is called "re0" and
# public IP is "1.2.3.4". Substitute your own values here
ext_if="re0"
ext_addr="1.2.3.4"

# Let's say you have nginx running on port 8080
# Forward nginx's port 8080 to external IP port 80
rdr on $ext_if proto tcp from any to $ext_addr/32 port 80 tag nginx -> $ext_addr port 8080

#Allow visitors to Nginx on port 8080
pass in quick on $ext_if proto tcp from any to $ext_addr port 8080 tagged nginx
bob Permalink
October 29, 2013, 00:10

Cool, thanks!

October 28, 2013, 08:49

Under Linux you can also use authbind to selectively enable the usage of low (< 1024) ports by non-root programs.

logoff Permalink
October 28, 2013, 14:37

It is a good solution, but it has security implications too. You can create a unprivileged program that uses privileg ports. It sounds obvoius, but need to be considered anyway.

Thank you for the iptables trick!

November 02, 2013, 16:17

This is what I like. I like cartoon movies. You can make it better ny drawing more colorful story...http://www.bluecapitallaw.com/

November 10, 2013, 07:28

Thank you for your time and effort to summarize everything for the audience,. I am truly learning from your experience..
Thanks again for useful resource.You have a very good site also! Threads are very interesting! Thank you very much for allowing me to comment in such a good sait.Thanks!

November 11, 2013, 09:58

A very good and informative article indeed. It helps me a lot to enhance my knowledge.

David keven Permalink
November 11, 2013, 13:10

Programers always deal with coding and performing tough actions. They spend major time on assumptions and putting their ideas in to the coding for developing great program. For students and education experts academic paper writing find this service here at sensible price.

December 18, 2013, 13:10

This is a very significant blog. Thanks for sharing your thoughts. Keep up the good job in posting very good topics.

Kolly Permalink
January 16, 2014, 10:29

Nice site, writing-college-essay.com nice and easy on the eyes and great content too. I will remember this.

gerry Permalink
February 11, 2014, 19:02

thanks for the advice, http://dissertationhelpservice.co.uk/ it is very important info

March 14, 2014, 07:48

I am very happy to read this article..thanks

Mickey James Permalink
November 12, 2013, 00:10

This is cool, have to try this and see what comes along. Looking for a college paper writing services? Check out the link.

November 12, 2013, 13:05

Very cool but it has major security implications

Peter Permalink
November 13, 2013, 20:46

Sweet! I was doing this using Apache (pushing port 80 to a VM, but the VM manager was not running as root), but this is much better. I had to modify the approach somewhat because I'm using ufw (https://help.ubuntu.com/10.04/serverguide/firewall.html).
Here's what I did to make it work:

Turn on forwarding for ufw first:
edit /etc/default/ufw
  change DEFAULT_FORWARD_POLICY="DROP" to DEFAULT_FORWARD_POLICY="ACCEPT"
edit /etc/ufw/sysctl.conf
  uncomment net/ipv4/ip_forward=1

Then add the forwarding rules to /etc/ufw/before.rules
(to the top of the file just after the header comments):
#nat Table rules
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
COMMIT

Save changes and bounce ufw:
sudo ufw disable && sudo ufw enable

Allow the unprivileged port through the firewall:
sudo ufw allow 8080 
March 14, 2014, 07:50

I am very happy to read this article..thanks

November 15, 2013, 00:33

Notice that you can also send file descriptors through unix domain sockets, using sendmsg(2). So you can open the listening socket using a root process that passes it through a unix domain socket to your non-root process.

(Btw, you should get comment-rss-feeds for your comment threads.)

seth Permalink
November 20, 2013, 12:03

You can use capabilities to enable the same thing.

setcap 'cap_net_bind_service=+ep' /path/to/program

December 02, 2013, 01:00

Yes, but only under Linux. The other possibility works on other Unix-Systems too.

November 21, 2013, 16:37

This is what I like. I like cartoon movies. You can make it better ny drawing more colorful

November 26, 2013, 08:58

Hi there, just became aware of your blog through Google, and found that it as truly informative. I am going to watch out for brussels. I will appreciate if you continue this in future. Lots of people will be benefited from your writing. Cheers!

December 03, 2013, 11:00

Hi there, just became aware of your blog through Google, and found that it as truly informative. I am going to watch out for brussels.click here I will appreciate if you continue this in future. Lots of people will be benefited from your writing. Cheers!

December 03, 2013, 11:00

Hi there, just became aware of your blog through Google, and found that it as truly informative. I am going to watch out for brussels.click here I will appreciate if you continue this in future. Lots of people will be benefited from your writing. Cheers!

Tina L Permalink
December 11, 2013, 09:04

Many students have also turned out to be prey to that sort of companies quite a few times during their academic studies. So beware of such online essay writing services and always seek to find the review of best essay writing sites whenever you require depending on the essay writing services to write your essays. Best Essay Writing Review Sites are the easy and the best means for getting help of students. Here is a link
http://essay-writing-company-reviews.essayboards.com/

December 15, 2013, 11:42

Thanks you can listen to holy quran online by visiting this pagte

Ramond Permalink
December 25, 2013, 11:15

Gathering common facts and quotations or in other way proved arguments required as help me write an essay from here may demand some time and almost always huge efforts. As a secondary student i understand i need help on my topic given at the university, because i realize the problem and need cheap assistance for better analysis.

Dave Permalink
January 23, 2014, 12:54

Great article! Thanks for sharing. Look, I've just found some useful info at Special-Essays. Best wishes!

March 20, 2014, 01:57

Thanks for taking the time to put this out there. Great job. online trading :)

Leave a new comment

(why do I need your e-mail?)

(Your twitter name, if you have one. (I'm @pkrumins, btw.))

Type the first letter of your name: (just to make sure you're a human)

Please preview the comment before submitting to make sure it's OK.

Advertisements