Linux : How to redirect traffic on a port - IT Security Pundit
ads header

Friday, June 17, 2022

Home Tutorial Linux : How to redirect traffic on a port

Linux : How to redirect traffic on a port

On Linux, non-root users are not able to bind to ports below 1024. For security reasons, running a web server or application server software as a root user is not recommended. 

Solution



1. Using iptables

iptables can be used to redirect connections from ports 443 to 8443 and 80 to 8080. The following steps can be used to perform this redirection.

  • Create a shell script that will add a rule to update the iptable to redirect the traffic on system startup and remove the redirection rule on system shutdown.
  • Create a service script that will execute the above script on system startup and shutdown.

Create a shell script in /usr/bin and name as redirect-webports

#!/bin/sh

# All rights reserved.
#
#! /bin/sh
#! /etc/init.d/webport_8443_8080_redirect
# ### BEGIN INIT INFO
# Provides: webport_8443_8080_redirect
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 5
# Default-Stop: 0 1 6
# Description: Redirect 443 to 8443 and 80 to 8080
### END INIT INFO #

# Environment-specific variables.
IPT_BIN=/usr/sbin/iptables
INTF=eth0

# Change the following line as per your Linux Server IP
ADDR=172.31.33.204

. /etc/rc.status
# First reset status of this service
rc_reset

case "$1" in
    start)
        echo -n "Starting IP Port redirection"
        $IPT_BIN -t nat --flush
        $IPT_BIN -t nat -A PREROUTING -i $INTF -p tcp --dport 80 -j DNAT --to ${ADDR}:8080
        $IPT_BIN -t nat -A PREROUTING -i $INTF -p tcp --dport 443 -j DNAT --to ${ADDR}:8443
        $IPT_BIN -t nat -A OUTPUT -p tcp -d $ADDR --dport 443 -j DNAT --to ${ADDR}:8443
        $IPT_BIN -t nat -A OUTPUT -p tcp -d $ADDR --dport 80 -j DNAT --to ${ADDR}:8080
        rc_status -v
        ;;
    stop)
        echo -n "Flushing all IP Port redirection rules"
        $IPT_BIN -t nat --flush
        rc_status -v
        ;;
    restart)
        $0 stop
        $0 start
        rc_status
        ;;
    *)
        echo "Usage: $0 {start|stop|restart}"
        exit 1
        ;;
esac
rc_exit


Make redirect-webports script executable

chmod +x redirect-webports

Create a new service unit script in /etc/systemd/system as redirect-webports.service

[Unit]
Description=Webport-Redirection

After=local-fs.target network.target

[Service]
Type=oneshot
ExecStart=/usr/bin/redirect-webports start
ExecStop=/usr/bin/redirect-webports stop
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Execute the following command to start the redirection script at startup

chmod +x redirect-webports.service
systemctl enable redirect-webports.service
systemctl start redirect-webports.service

Validate the scripts

iptables -t nat -nvL

2. Using Proxy Server

A proxy server such as apache httpd or nginx running as root can bind to port 80 or 443 and proxy all the traffic for application server redirection.


Tags
Author Image

About Ashish Shrivastava
22 years of diversified experience in the space of Cyber Security and Application Development with accelerated growth and varied roles starting from developer, architect, consultant, pre-sales, delivery, transitions, innovation, automation and transformations, program management, business development, competency development and business leadership roles. At present heading the market development team focused on “Identity and Access Management Solutions” globally.

By at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)