Tuesday, August 7, 2007

Userland http-servers: The `port < 1024'-problem vS hackers

Retrieved from:

How to do port redirection with Debian (and doing so, securing Tomcat)

First of all, I have to precise that I'm not a sysadmin, and you may not assume that the things as explained here are best way to handle the problem, or just that this is a correct one. This worked for me yesterday night, and I share my notes here so that I'll find this easier next time, and hoping that someone will find this useful and time saving.

The problem

Why whould you want to do port redirection?

If you want to put a web server on internet it would be great to have it run on standard http port (80), as many company proxies just refuse to connect on other ports. You can think to just configure tomcat's server.xml to run on port 80 instead of the default one, at 8080. Using unix, this would work only if you run tomcat as priviledged user (root) because of common users cannot bind port under 1024.

"What's the problem?" could you say, but - believe me - leving a server online with tomcat running with root priviledges can be a very bad idea.

So, resuming, the problem is:

  1. you would like to bind tomcat on http port
  2. you want to run tomcat with a restricted user, to avoid hackers to gain root privileges
  3. ... but restricted users cannot bind http port (1 & 2 are in conflict)

Possible Solutions

There may be many solutions to this problem. Searching the net I've found an article titled "Running JSP Through Apache with mod_jk2" explaining how to work around this limtation. There are three possibilities:

  1. Accessing Tomcat on Port 80 (running tomcat as root)
  2. Forwarding Incoming Port 80 requests to Port 8080 using iptables
  3. Using Apache to forward incoming requests on http port to tomcat on port 8080 (mod_jk2)
The first possibility is the root of my problem, not a solution :-) . And also the mentioned article says that it's not a great idea. Using iptables (configuring unix firewall) could be a good solution. Also using apache can be good and I don't like to add useless software layers ("just forwarding" is useless, imho), as additional layers too often add complessity to systems. So I choosed to use iptables port forwarding.

Iptables howto

Being a windows user, and not knowing much about unix administration, the first thing I searched over the net was the command to be typed to do port forwarding. I ever didn't know anything about iptables.
After some tries I find this:

hal9000:~# iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
hal9000:~# iptables-save

I tried at command line and it worked: request on http port were forwarded to tomcat! So, iptables is the solution. But after a reboot those rules were lost: the problem now is "how to make those rules persistent thru reboots?". Before continuing the search over the net I tried
"man iptables" then looking on my own hard disk I found a little howto in


Reading it (Chap "3. running iptables"), I've met a new utility: "The closest to standard is the
ipmasq package". I like to do things close to standards.
Things to do now:

  1. prepare a "self-written or acquired scripts to run at system startup" into /etc/init.d
  2. use update-rc.d to update the SysV run level processes
I tried to run ipmasq and I got a "command not found" error. This is a problem for apt-get :-) . I've installed ipmasq using the command "apt-get install ipmasq". After instal, the setup ask for some options and I just leaved the defaults. After an installation is always a good idea to run "mandb" command to update man databases.
Then I typed at command line:
hal9000:~# ipmasq -v
#: Interfaces found:
...ipmasq displayed lot of default settings here...

Good: ipmasq is there.
Now it's time for the scripts. To configure ipmasq you have to create a file .rul in /etc/ipmasq/rules path. Here's the mine:

hal9000:~# cat /etc/ipmasq/rules/F00chain.rul
#: **********************************************************
#: *** FORWARD CHAIN ***
#: **********************************************************
#: $IPTABLES -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

Now we've to configure SysV init system to run ipmasq on startup. Taking example from /etc/init.d/skeleton file, I've written following script:

hal9000:/etc/init.d# cat /etc/init.d/ipmasq
#! /bin/sh
# ipmasq.init Set up IP Masquerading for Debian systems


# Gracefully exit if the package has been removed.
test -x $DAEMON || exit 0

# Function that starts the daemon/service.
d_start() {

case "$1" in
echo -n "Starting $DESC: $NAME"
echo "."
echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
exit 1

exit 0

hal9000:/etc/init.d# chmod 755 /etc/init.d/ipmasq

Notice that you have to chmod 755 the file (as shown upon) as it needs to be executable.
Then we've to update SysV runlevels procedures with following command (and its output):

hal9000:/etc/init.d# update-rc.d ipmasq defaults 10
Adding system startup for /etc/init.d/ipmasq ...
/etc/rc0.d/K10ipmasq -> ../init.d/ipmasq
/etc/rc1.d/K10ipmasq -> ../init.d/ipmasq
/etc/rc6.d/K10ipmasq -> ../init.d/ipmasq
/etc/rc2.d/S10ipmasq -> ../init.d/ipmasq
/etc/rc3.d/S10ipmasq -> ../init.d/ipmasq
/etc/rc4.d/S10ipmasq -> ../init.d/ipmasq
/etc/rc5.d/S10ipmasq -> ../init.d/ipmasq

This command says to create links to /etc/init.d/ipmasq script for all runlevels at position 10: you see that created files contains "K10" and "S10" in their name, they are the startup and kill links for the service. Runlevels links are executing in order by their name, so 10 means that our script will be executed quite early.

We've done. At next reboot we should see "Starting Firewall: ipmasq" message before the login prompt. Now - if all went right - your firewall should forward http request to port 8080. And you can run tomcat on port 8080 with a restricted user, and access it from internet on standard http port.

...and now you know it :-)

No comments: