Don't like ads? PRO users don't see any ads ;-)
Public Pastes
Guest

Untitled

By: a guest on Apr 28th, 2012  |  syntax: None  |  size: 3.02 KB  |  hits: 24  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. THE PROBLEM:
  2.  
  3. Standard practices say no non-root process gets to talk to the Internet on a port less than 1024.  How, then, could I get Node talking on port 80 on EC2?  (I wanted it to go as fast as possible and use the smallest possible share of my teeny tiny little micro-instance's resources, so proxying through nginx or Apache seemed suboptimal.)  
  4.  
  5.  
  6. THE TEMPTINGLY EASY BUT TOTALLY WRONG SOLUTION:
  7.  
  8. Alter the port the script talks to from 8000 to 80:
  9.  
  10. }).listen(80);
  11.  
  12. .. and run it as root:
  13.  
  14. sudo /usr/local/bin/node foo.js
  15.  
  16. This is a Bad Idea, for all the standard reasons.  (Here's one:  if Node has access to the filesystem for any reason, you're hosed.)
  17.  
  18.  
  19. ONE POSSIBLE RIGHT WAY:
  20.  
  21. Add a port forwarding rule via iptables.
  22.  
  23.  
  24. OH DEAR FAMILIAR FEELING YOU ARE A TOTAL N00B AND KNOW NOT ONE THING ABOUT IPTABLES.
  25.  
  26. First, I listed the rules currently running on the NAT (Network Address Translation) table:
  27.  
  28. [ec2-user@ip-XX-XXX-XX-X ~]$ sudo iptables -t nat -L
  29.  
  30. Chain INPUT (policy ACCEPT)
  31. target     prot opt source               destination        
  32.  
  33. Chain FORWARD (policy ACCEPT)
  34. target     prot opt source               destination        
  35.  
  36. Chain OUTPUT (policy ACCEPT)
  37. target     prot opt source               destination
  38.  
  39. I saw nothing, so I felt free to add a rule forwarding packets sent to external port 80 to internal port 8000:
  40.  
  41. [ec2-user@ip-XX-XXX-XX-X ~]$ sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8000
  42.  
  43. When I listed again, I saw a new PREROUTING chain:
  44.  
  45. [ec2-user@ip-XX-XXX-XX-X ~]$ sudo iptables -t nat -L
  46.  
  47. Chain PREROUTING (policy ACCEPT)
  48. target     prot opt source               destination        
  49. REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:http redir ports 8000
  50.  
  51. Chain OUTPUT (policy ACCEPT)
  52. target     prot opt source               destination        
  53.  
  54. Chain POSTROUTING (policy ACCEPT)
  55. target     prot opt source               destination        
  56. [ec2-user@ip-10-205-14-7 ~]$ sudo iptables -t nat -L
  57. Chain PREROUTING (policy ACCEPT)
  58. target     prot opt source               destination        
  59. REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:http redir ports 8000
  60.  
  61. Chain OUTPUT (policy ACCEPT)
  62. target     prot opt source               destination        
  63.  
  64. Chain POSTROUTING (policy ACCEPT)
  65. target     prot opt source               destination        
  66.  
  67. I checked my Node script, which was running on port 8000, and (yes!) it was responding on port 80.
  68.  
  69. During my early fumbling I screwed up a bunch of times. I removed busted rules by specifying the right table, the right chain, and the right line number, like so:
  70.  
  71. [ec2-user@ip-XX-XXX-XX-X ~]$ sudo iptables -t nat -D PREROUTING 1
  72.  
  73. This removed the first line from the PREROUTING chain in my nat table.
  74.  
  75.  
  76. FINAL NOTE: I DID NOT DO THIS MYSELF BUT I HAVE A VERY STRONG FEELING I SHOULD BE VERY CAREFUL NOT TO SCREW UP PORT 22, WHICH IS MY ONLY WAY IN.
  77.  
  78.  
  79. Thanks to @rckenned, @jrconlin, and @spullara ... see also http://iptables.rlworkman.net/chunkyhtml for a pretty definitive-looking iptables tutorial from @frozentux.
create a new version of this paste RAW Paste Data