1 Running Web Services on Non-standard Ports
2 ==========================================
3 :author: Aaron Ball
4 :email: nullspoon@iohq.net
5
6
7 == {doctitle}
8
9 Working in the world of systems administration has taught me a lot, especially
10 in regards to security. One thing I hope to never take for granted is the
11 seemingly endless pool of knowledge there is in IT departments. There's almost
12 always something new to learn from someone.
13
14 Since I have been learning so much from other people, I decided to rebuild my
15 web server in an attempt to harden it a bit and to practice building stuff (who
16 doesn't like building stuff, I mean come on...Legos anyone?). One of the things
17 I changed in my process was building everything from source with non-privileged
18 users rather than installing it from repos. One of the advantages to doing this
19 is that each of your services will be running as users that have no access to
20 the rest of the system if their accounts are set up right (ie: no sudo, ssh, or
21 cross service access). The one disadvantage to this is that the services can't
22 bind to ports 1024 and below. For web servers, this really only affects apache,
23 nginx, light httpd, or whatever web server you are using since most other
24 software (ie: php, mysql, etc) runs on ports higher than 1024.
25
26 With that, people don't visit our websites on some randomly selected port for a
27 web server, do they?
28
29 Nope
30
31 So how do we allow them to visit our web server running on a different port
32 other than 80?
33
34 The answer is iptables using NAT. Basically what we need to do is take incoming
35 traffic to port 80 and route it to our web server port (in my case, this is
36 8080). This of course can work for other services as well, but for the purposes
37 of this post, we'll simply translate port 80 traffic.
38
39 The iptables commands you'll need for this are as follows:
40
41 ----
42 iptables -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
43 ----
44
45 What we've got here is not super hard. Basically, before we do anything else
46 (PREROUTING chain) with our port 80 (--dport 80) tcp (-p tcp -m tcp) network
47 traffic, we want to redirect (-j REDIRECT) the traffic to port 8080 (--to-ports
48 8080). You can of course do this with https traffic as well. Here's another
49 example using that one.
50
51 ----
52 iptables -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
53 ----
54
55 Pretty handy, huh?
56
57 One note on this before signing off. If you have your input table set to drop
58 all, you need to add an accept rule for tcp port 80 and your web server port
59 (8080 and 8443 in the examples).
60
61
62 Category:Linux
63 Category:iptables
64
65
66 // vim: set syntax=asciidoc:
|
