-
-
Save ijmorgado/5696314 to your computer and use it in GitHub Desktop.
Revisions
-
kentbrew revised this gist
Jul 20, 2012 . 1 changed file with 5 additions and 6 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,7 +2,7 @@ Standard practices say no non-root process gets to talk to the Internet on a port less than 1024. How, then, could I get Node talking on port 80 on EC2? (I wanted it to go as fast as possible and use the smallest possible share of my teeny tiny little micro-instance's resources, so proxying through nginx or Apache seemed suboptimal.) ## The temptingly easy but ultimately wrong solution: Alter the port the script talks to from 8000 to 80: @@ -14,13 +14,14 @@ Alter the port the script talks to from 8000 to 80: This is a Bad Idea, for all the standard reasons. (Here's one: if Node has access to the filesystem for any reason, you're hosed.) ## One possibly-right way: Add a port forwarding rule via `iptables`. ### Oh dear familiar feeling: you are a total n00b and know not one thing about iptables. First, I listed the rules currently running on the NAT (Network Address Translation) table: [ec2-user@ip-XX-XXX-XX-X ~]$ sudo iptables -t nat -L @@ -33,7 +34,7 @@ No worries; turns out you only need to add a single rule. First, I listed the r Chain OUTPUT (policy ACCEPT) target prot opt source destination I saw nothing, so I felt free to add a rule forwarding packets sent to external port 80 to internal port 8000: `[ec2-user@ip-XX-XXX-XX-X ~]$ sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8000` @@ -61,8 +62,6 @@ I did not do this myself but throughout this process I had a very strong feeling ## Acknowledgements: - [@rckenned](http://twitter.com/rckenned), - [@jrconlin](http://twitter.com/jrconlin), - [@spullara](http://twitter.com/spullara), -
Jul 20, 2012 . 1 changed file with 4 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,7 +2,7 @@ Standard practices say no non-root process gets to talk to the Internet on a port less than 1024. How, then, could I get Node talking on port 80 on EC2? (I wanted it to go as fast as possible and use the smallest possible share of my teeny tiny little micro-instance's resources, so proxying through nginx or Apache seemed suboptimal.) ## The temptingly easy but *very very wrong* solution: Alter the port the script talks to from 8000 to 80: @@ -14,14 +14,13 @@ Alter the port the script talks to from 8000 to 80: This is a Bad Idea, for all the standard reasons. (Here's one: if Node has access to the filesystem for any reason, you're hosed.) ## One possibly-right way: Add a port forwarding rule via `iptables`. ## Oh dear familiar feeling: you are a total n00b and know not one thing about iptables! No worries; turns out you only need to add a single rule. First, I listed the rules currently running on the NAT (Network Address Translation) table: [ec2-user@ip-XX-XXX-XX-X ~]$ sudo iptables -t nat -L @@ -34,7 +33,7 @@ First, I listed the rules currently running on the NAT (Network Address Translat Chain OUTPUT (policy ACCEPT) target prot opt source destination I saw nothing, so I felt free to add a rule bouncing packets from external port 80 to internal port 8000: `[ec2-user@ip-XX-XXX-XX-X ~]$ sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8000` -
Jul 20, 2012 . 1 changed file with 6 additions and 6 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,8 +2,6 @@ Standard practices say no non-root process gets to talk to the Internet on a port less than 1024. How, then, could I get Node talking on port 80 on EC2? (I wanted it to go as fast as possible and use the smallest possible share of my teeny tiny little micro-instance's resources, so proxying through nginx or Apache seemed suboptimal.) ## The temptingly easy but ultimately wrong solution: Alter the port the script talks to from 8000 to 80: @@ -64,8 +62,10 @@ I did not do this myself but throughout this process I had a very strong feeling ## Acknowledgements: [an example](http://example.com/ "Title") - [@rckenned](http://twitter.com/rckenned), - [@jrconlin](http://twitter.com/jrconlin), - [@spullara](http://twitter.com/spullara), - [@frozentux](http://twitter.com/frozentux) for <http://iptables.rlworkman.net/chunkyhtml>, which is a pretty definitive iptables tutorial. -
Jul 20, 2012 . 1 changed file with 1 addition and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,6 +2,7 @@ Standard practices say no non-root process gets to talk to the Internet on a port less than 1024. How, then, could I get Node talking on port 80 on EC2? (I wanted it to go as fast as possible and use the smallest possible share of my teeny tiny little micro-instance's resources, so proxying through nginx or Apache seemed suboptimal.) [an example](http://example.com/ "Title") ## The temptingly easy but ultimately wrong solution: -
Jul 20, 2012 . 1 changed file with 5 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -51,15 +51,17 @@ I checked my Node script, which was running on port 8000, and (yes!) it was resp ## Fumbling During my early attempts I screwed up a bunch of times. I removed busted rules by specifying the right table, the right chain, and the right line number, like so: [ec2-user@ip-XX-XXX-XX-X ~]$ sudo iptables -t nat -D PREROUTING 1 This removed the first line from the `PREROUTING` chain in my nat table. ## Careful, now.... I did not do this myself but throughout this process I had a very strong feeling I should be very careful not to screw up port 22, which was my only way in. ## Acknowledgements: - [http://twitter.com/rckenned](@rckenned), - [http://twitter.com/jrconlin](@jrconlin), -
Jul 20, 2012 . 1 changed file with 8 additions and 10 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -44,15 +44,9 @@ When I listed again, I saw a new PREROUTING chain: [ec2-user@ip-XX-XXX-XX-X ~]$ sudo iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 8000 I checked my Node script, which was running on port 8000, and (yes!) it was responding on port 80. ## Fumbling @@ -67,4 +61,8 @@ This removed the first line from the `PREROUTING` chain in my nat table. ## Thank You: - [http://twitter.com/rckenned](@rckenned), - [http://twitter.com/jrconlin](@jrconlin), - [http://twitter.com/spullara](@spullara), - [http://twitter.com/frozentux](@frozentux) for <http://iptables.rlworkman.net/chunkyhtml>, which is a pretty definitive iptables tutorial. -
Jul 20, 2012 . 1 changed file with 6 additions and 12 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -52,19 +52,11 @@ When I listed again, I saw a new PREROUTING chain: Chain POSTROUTING (policy ACCEPT) target prot opt source destination I checked my Node script, which was running on port 8000, and (yes!) it was responding on port 80. ## Fumbling During my early fumbling I screwed up a bunch of times. I removed busted rules by specifying the right table, the right chain, and the right line number, like so: [ec2-user@ip-XX-XXX-XX-X ~]$ sudo iptables -t nat -D PREROUTING 1 @@ -73,4 +65,6 @@ This removed the first line from the `PREROUTING` chain in my nat table. *Final note: I did not do this myself but throughout this process I had a very strong feeling I should be very careful not to screw up port 22, which was my only way in.* ## Thank You: [http://twitter.com/rckenned](@rckenned), [http://twitter.com/jrconlin](@jrconlin), and [http://twitter.com/spullara](@spullara), and see also <http://iptables.rlworkman.net/chunkyhtml> for a pretty definitive-looking iptables tutorial from [http://twitter.com/frozentux](@frozentux). -
Jul 20, 2012 . 1 changed file with 3 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -27,13 +27,13 @@ First, I listed the rules currently running on the NAT (Network Address Translat [ec2-user@ip-XX-XXX-XX-X ~]$ sudo iptables -t nat -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination I saw nothing, so I felt free to add a rule forwarding packets sent to external port 80 to internal port 8000: -
Jul 20, 2012 . 1 changed file with 25 additions and 33 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -24,58 +24,50 @@ Add a port forwarding rule via `iptables`. First, I listed the rules currently running on the NAT (Network Address Translation) table: [ec2-user@ip-XX-XXX-XX-X ~]$ sudo iptables -t nat -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination I saw nothing, so I felt free to add a rule forwarding packets sent to external port 80 to internal port 8000: `[ec2-user@ip-XX-XXX-XX-X ~]$ sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8000` When I listed again, I saw a new PREROUTING chain: [ec2-user@ip-XX-XXX-XX-X ~]$ sudo iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 8000 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination [ec2-user@ip-10-205-14-7 ~]$ sudo iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 8000 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination I checked my Node script, which was running on port 8000, and (yes!) it was responding on port 80. During my early fumbling I screwed up a bunch of times. I removed busted rules by specifying the right table, the right chain, and the right line number, like so: [ec2-user@ip-XX-XXX-XX-X ~]$ sudo iptables -t nat -D PREROUTING 1 This removed the first line from the `PREROUTING` chain in my nat table. -
Jul 20, 2012 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -3,7 +3,7 @@ Standard practices say no non-root process gets to talk to the Internet on a port less than 1024. How, then, could I get Node talking on port 80 on EC2? (I wanted it to go as fast as possible and use the smallest possible share of my teeny tiny little micro-instance's resources, so proxying through nginx or Apache seemed suboptimal.) ## The temptingly easy but ultimately wrong solution: Alter the port the script talks to from 8000 to 80: @@ -16,7 +16,7 @@ Alter the port the script talks to from 8000 to 80: This is a Bad Idea, for all the standard reasons. (Here's one: if Node has access to the filesystem for any reason, you're hosed.) ## One possibly-right way: Add a port forwarding rule via `iptables`. -
Jul 20, 2012 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -7,7 +7,7 @@ Standard practices say no non-root process gets to talk to the Internet on a por Alter the port the script talks to from 8000 to 80: }).listen(80); .. and run it as root: -
Jul 20, 2012 . 1 changed file with 18 additions and 15 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,30 +1,30 @@ ## The Problem Standard practices say no non-root process gets to talk to the Internet on a port less than 1024. How, then, could I get Node talking on port 80 on EC2? (I wanted it to go as fast as possible and use the smallest possible share of my teeny tiny little micro-instance's resources, so proxying through nginx or Apache seemed suboptimal.) ## The temptingly easy but ultimately wrong solution Alter the port the script talks to from 8000 to 80: }).listen(80); .. and run it as root: sudo /usr/local/bin/node foo.js This is a Bad Idea, for all the standard reasons. (Here's one: if Node has access to the filesystem for any reason, you're hosed.) ## One possibly-right way Add a port forwarding rule via `iptables`. ### Oh dear familiar feeling: you are a total n00b and know not one thing about iptables. First, I listed the rules currently running on the NAT (Network Address Translation) table: ``` [ec2-user@ip-XX-XXX-XX-X ~]$ sudo iptables -t nat -L Chain INPUT (policy ACCEPT) @@ -35,13 +35,17 @@ target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ``` I saw nothing, so I felt free to add a rule forwarding packets sent to external port 80 to internal port 8000: ``` [ec2-user@ip-XX-XXX-XX-X ~]$ sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8000 ``` When I listed again, I saw a new PREROUTING chain: ``` [ec2-user@ip-XX-XXX-XX-X ~]$ sudo iptables -t nat -L Chain PREROUTING (policy ACCEPT) @@ -63,19 +67,18 @@ target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination ``` I checked my Node script, which was running on port 8000, and (yes!) it was responding on port 80. During my early fumbling I screwed up a bunch of times. I removed busted rules by specifying the right table, the right chain, and the right line number, like so: ``` [ec2-user@ip-XX-XXX-XX-X ~]$ sudo iptables -t nat -D PREROUTING 1 ``` This removed the first line from the `PREROUTING` chain in my nat table. *Final note: I did not do this myself but throughout this process I had a very strong feeling I should be very careful not to screw up port 22, which was my only way in.* Thanks to [http://twitter.com/rckenned](@rckenned), [http://twitter.com/jrconlin](@jrconlin), and [http://twitter.com/spullara](@spullara), and see also <http://iptables.rlworkman.net/chunkyhtml> for a pretty definitive-looking iptables tutorial from [http://twitter.com/frozentux](@frozentux). -
Jan 12, 2011 . 1 changed file with 1 addition and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,9 +1,6 @@ THE PROBLEM: Standard practices say no non-root process gets to talk to the Internet on a port less than 1024. How, then, could I get Node talking on port 80 on EC2? (I wanted it to go as fast as possible and use the smallest possible share of my teeny tiny little micro-instance's resources, so proxying through nginx or Apache seemed suboptimal.) THE TEMPTINGLY EASY BUT TOTALLY WRONG SOLUTION: -
Jan 12, 2011 . 1 changed file with 4 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +1,9 @@ THE PROBLEM: Standard practices say no non-root process gets to talk to the Internet on a port less than 1024. How, then, could I get Node talking on port 80 on EC2? (I wanted it to go as fast as possible and use the smallest possible share of my teeny tiny little system's resources, so proxying through nginx or Apache seemed suboptimal.) THE TEMPTINGLY EASY BUT TOTALLY WRONG SOLUTION: -
Jan 12, 2011 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,81 @@ THE PROBLEM: Standard practices say no non-root process gets to talk to the Internet on a port less than 1024. How, then, could I get Node talking on port 80 on EC2? (I wanted it to go as fast as possible and use the smallest possible share of my teeny tiny little system's resources, so proxying through nginx or Apache seemed suboptimal.) THE TEMPTINGLY EASY BUT TOTALLY WRONG SOLUTION: Alter the port the script talks to from 8000 to 80: }).listen(80); .. and run it as root: sudo /usr/local/bin/node foo.js This is a Bad Idea, for all the standard reasons. (Here's one: if Node has access to the filesystem for any reason, you're hosed.) ONE POSSIBLE RIGHT WAY: Add a port forwarding rule via iptables. OH DEAR FAMILIAR FEELING YOU ARE A TOTAL N00B AND KNOW NOT ONE THING ABOUT IPTABLES. First, I listed the rules currently running on the NAT (Network Address Translation) table: [ec2-user@ip-XX-XXX-XX-X ~]$ sudo iptables -t nat -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination I saw nothing, so I felt free to add a rule forwarding packets sent to external port 80 to internal port 8000: [ec2-user@ip-XX-XXX-XX-X ~]$ sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8000 When I listed again, I saw a new PREROUTING chain: [ec2-user@ip-XX-XXX-XX-X ~]$ sudo iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 8000 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination [ec2-user@ip-10-205-14-7 ~]$ sudo iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 8000 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination I checked my Node script, which was running on port 8000, and (yes!) it was responding on port 80. During my early fumbling I screwed up a bunch of times. I removed busted rules by specifying the right table, the right chain, and the right line number, like so: [ec2-user@ip-XX-XXX-XX-X ~]$ sudo iptables -t nat -D PREROUTING 1 This removed the first line from the PREROUTING chain in my nat table. FINAL NOTE: I DID NOT DO THIS MYSELF BUT I HAVE A VERY STRONG FEELING I SHOULD BE VERY CAREFUL NOT TO SCREW UP PORT 22, WHICH IS MY ONLY WAY IN. Thanks to @rckenned, @jrconlin, and @spullara ... see also http://iptables.rlworkman.net/chunkyhtml for a pretty definitive-looking iptables tutorial from @frozentux.