Here's a quick tutorial on how to make unprivileged programs listen on privileged ports. The trick here is to make the unprivileged program to listen on an unprivileged port and redirect the privileged port to the unprivileged through iptables.

Here's a concrete example. Let's say you want to run a web server (on port 80) but don't want to run it as root as it has security implications. What you do instead is run your web server on port 8080 (or any other unprivileged port) and redirect port 80 to 8080 with iptables.

You'll need at least 2 iptables rules to set it up. The first rule will redirect all incoming traffic on all public interfaces from port 80 to port 8080:

iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-port 8080

The second rule will redirect all localhost traffic from port 80 to port 8080:

iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080

You might also need a third rule that will redirect all localhost traffic directed to the public IP (or hostname) of the service:

iptables -t nat -I OUTPUT -p tcp -d hostname.com --dport 80 -j REDIRECT --to-ports 8080

If you're unfamiliar with iptables, see the the frozen tux iptables tutorial. It's the best iptables tutorial out there.

Comments

Bob Permalink
October 27, 2013, 23:53

This is cool but I don't have iptables. How can you do this with pf or ipfw?

Klickback Permalink
October 28, 2013, 06:21

@Bob: With pf on FreeBSD, I use something like this:

# Let's assume your public-facing interface is called "re0" and
# public IP is "1.2.3.4". Substitute your own values here
ext_if="re0"
ext_addr="1.2.3.4"

# Let's say you have nginx running on port 8080
# Forward nginx's port 8080 to external IP port 80
rdr on $ext_if proto tcp from any to $ext_addr/32 port 80 tag nginx -> $ext_addr port 8080

#Allow visitors to Nginx on port 8080
pass in quick on $ext_if proto tcp from any to $ext_addr port 8080 tagged nginx
bob Permalink
October 29, 2013, 00:10

Cool, thanks!

October 28, 2013, 08:49

Under Linux you can also use authbind to selectively enable the usage of low (< 1024) ports by non-root programs.

logoff Permalink
October 28, 2013, 14:37

It is a good solution, but it has security implications too. You can create a unprivileged program that uses privileg ports. It sounds obvoius, but need to be considered anyway.

Thank you for the iptables trick!

November 02, 2013, 16:17

This is what I like. I like cartoon movies. You can make it better ny drawing more colorful story...http://www.bluecapitallaw.com/

November 10, 2013, 07:28

Thank you for your time and effort to summarize everything for the audience,. I am truly learning from your experience..
Thanks again for useful resource.You have a very good site also! Threads are very interesting! Thank you very much for allowing me to comment in such a good sait.Thanks!

David keven Permalink
November 11, 2013, 13:10

Programers always deal with coding and performing tough actions. They spend major time on assumptions and putting their ideas in to the coding for developing great program. For students and education experts academic paper writing find this service here at sensible price.

Kolly Permalink
January 16, 2014, 10:29

Nice site, writing-college-essay.com nice and easy on the eyes and great content too. I will remember this.

Mickey James Permalink
November 12, 2013, 00:10

This is cool, have to try this and see what comes along. Looking for a college paper writing services? Check out the link.

November 12, 2013, 13:05

Very cool but it has major security implications

Peter Permalink
November 13, 2013, 20:46

Sweet! I was doing this using Apache (pushing port 80 to a VM, but the VM manager was not running as root), but this is much better. I had to modify the approach somewhat because I'm using ufw (https://help.ubuntu.com/10.04/serverguide/firewall.html).
Here's what I did to make it work:

Turn on forwarding for ufw first:
edit /etc/default/ufw
  change DEFAULT_FORWARD_POLICY="DROP" to DEFAULT_FORWARD_POLICY="ACCEPT"
edit /etc/ufw/sysctl.conf
  uncomment net/ipv4/ip_forward=1

Then add the forwarding rules to /etc/ufw/before.rules
(to the top of the file just after the header comments):
#nat Table rules
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
COMMIT

Save changes and bounce ufw:
sudo ufw disable && sudo ufw enable

Allow the unprivileged port through the firewall:
sudo ufw allow 8080 
November 15, 2013, 00:33

Notice that you can also send file descriptors through unix domain sockets, using sendmsg(2). So you can open the listening socket using a root process that passes it through a unix domain socket to your non-root process.

(Btw, you should get comment-rss-feeds for your comment threads.)

seth Permalink
November 20, 2013, 12:03

You can use capabilities to enable the same thing.

setcap 'cap_net_bind_service=+ep' /path/to/program

December 02, 2013, 01:00

Yes, but only under Linux. The other possibility works on other Unix-Systems too.

November 21, 2013, 16:37

This is what I like. I like cartoon movies. You can make it better ny drawing more colorful

December 03, 2013, 11:00

Hi there, just became aware of your blog through Google, and found that it as truly informative. I am going to watch out for brussels.click here I will appreciate if you continue this in future. Lots of people will be benefited from your writing. Cheers!

December 03, 2013, 11:00

Hi there, just became aware of your blog through Google, and found that it as truly informative. I am going to watch out for brussels.click here I will appreciate if you continue this in future. Lots of people will be benefited from your writing. Cheers!

Tina L Permalink
December 11, 2013, 09:04

Many students have also turned out to be prey to that sort of companies quite a few times during their academic studies. So beware of such online essay writing services and always seek to find the review of best essay writing sites whenever you require depending on the essay writing services to write your essays. Best Essay Writing Review Sites are the easy and the best means for getting help of students. Here is a link
http://essay-writing-company-reviews.essayboards.com/

Ramond Permalink
December 25, 2013, 11:15

Gathering common facts and quotations or in other way proved arguments required as help me write an essay from here may demand some time and almost always huge efforts. As a secondary student i understand i need help on my topic given at the university, because i realize the problem and need cheap assistance for better analysis.

Dave Permalink
January 23, 2014, 12:54

Great article! Thanks for sharing. Look, I've just found some useful info at Special-Essays. Best wishes!

Judith Permalink
April 24, 2014, 10:48

Have no idea where to get brilliant essays for your academic success? Find this information here and relax!

alexxlexx Permalink
May 26, 2014, 09:08

Programers always coding and coding. For students and education experts academic paper writing find this service here at best price.

November 02, 2014, 18:49

Terima kasih infonya gan =))
http://goo.gl/YyhwYt

Kaur deep Permalink
December 04, 2014, 03:29

Excellent and knowledgeable links and post.thanks for sharing.
Now, The Time has come for the Happy New Year 2015. It wil bring a lot fo happinesin our life.
Happy New Year 2015
And I am sure, You wil anjoy this new year day with yoru fiends and wil send some images wishes,
New Year 2015

Happy New Year 2015 Wishes
Greetings to yoru close ones, Your friends, You lover, etc..
Happy New Year 2015 Images
Even I am waititng for that day, because it just changes our life.
Happy New Year 2015 Greetings

Happy New Year 2015 SMS
So, That's why I am commenting here to wish you a very happy new year.
Happy New Year 2015 Messages
I hope this New year 2015 wil bring success to your website. But before that Merry Christmas is coming.
Merry Christmas Quotes
It is also a big event for everyone.
Merry Christmas Pictures
Everyone knows that Christmas is a day when People seems to be very happy, they just leave all sadness behind.
Merry Christmas Wallpapers
And I am sure, you also enjoy this Merry Christmas day of 2014.
Christmas day Images

Christmas stocking
But if you are not looking out to enjoy this christmas, then you are missing out on a big thing, because it really brings happiness.
Merry Christmas Images

Merry Christmas 2014
So, what you are waiting for?
Merry Christmas 2015
Enjoy This Merry Christmas day. Cheers :).

December 05, 2014, 07:31

There are many students who are worried about writing effective papers and deadlines for submitting their essay papers are very short. They are in trouble what to do? If you are one of them then you'll batter understand this situation. Now kick away all worries because now you can hire professional writers to ask custom-paper-writing.org"nospam>digg on my behalf and within the deadlines. I assure you this is easiest way of getting good grades and I hope you guys will find it effective :)

December 09, 2014, 09:46

Hello, I was reading this article and this article is just awesome. catonmatIt was very informative and useful I'm gonna going to bookmark this website for further reference. First of all i have thank the author of the blog for writing such wonderful article.get uc browser for pc Thank you so much. Keep writing such useful and knowledgeable article. Bookmarked your site.

Diana Permalink
December 17, 2014, 16:02

This article is quite helpful and informative too. I enjoyed a lot. Thanks for sharing such a great article.

Beautiful Christmas Quotes for your friends and family...
christmas quotes
Christmas Messages for Whatsapp

Best Christmas Greetings for your friends and family...
christmas greeting
christmas wishes

What to Write in Christmas Card....... Check out best Christmas Greeting Card Words
What to Write in Christmas Card

Get Beautiful and Unique Christmas Wallpapers for free
free christmas wallpaper
christmas tree decorating ideas

Thanks for sharing such a great article.

Leave a new comment

(why do I need your e-mail?)

(Your twitter name, if you have one. (I'm @pkrumins, btw.))

Type the word "0day_396": (just to make sure you're a human)

Please preview the comment before submitting to make sure it's OK.

Advertisements