Documentation: added doc/TIPS.md for documenting tips and tricks

starting with the destination NAT trick to provide access on privileged low TCP ports. Document the low port non-root restriction in CONFIGURATION.md.
2012-10-03 22:18:49 +03:00 · 2012-10-03 22:18:49 +03:00 · ad126901da
parent ca675a1962
commit ad126901da
3 changed files with 34 additions and 2 deletions
--- a/doc/CONFIGURATION.md
+++ b/doc/CONFIGURATION.md
@ -140,7 +140,10 @@ The basic syntax is:
    handle both IPv6 and IPv4 connections with a single configuration
    line! On FreeBSD, separate IPv4 and IPv6 listeners are needed.
    
- *  port: the local TCP or UDP port to listen on.
+ *  port: the local TCP or UDP port to listen on. Must be larger than 1023.
+    aprsc drops root privileges quickly after startup (if it has them), and
+    cannot bind privileged ports. If you need to support a low port such as
+    23, see [TIPS](TIPS.html): "Providing access on low TCP ports"

 *  options: one more of:
 
--- a/doc/TIPS.md
+++ b/doc/TIPS.md
@ -0,0 +1,29 @@
+
+aprsc tricks and tips
+=====================
+
+
+Providing access on low TCP ports (like 23)
+----------------------------------------------
+
+For security reasons aprsc drops root privileges as soon as possible after
+starting up (if it ever had the in the first place).  Listening on
+privileged "low" ports below 1024 normally requires root privileges, which
+aprsc no longer has when it comes to the point where it would start binding
+those ports.
+
+You can use a NAT based method to redirect traffic from port 23 to port
+14580 (or some other high unprivileged port your server is listening on). 
+Replace *youripaddress* with your external IP address.  The local listening
+address (to-destination) cannot be localhost, so use the same IP address. 
+These two commands need to go somewhere in your startup scripts or firewall
+configurations.
+
+    root@box:~# iptables -t nat -A PREROUTING -d *youripaddress*
+        -p tcp --dport 23 -m addrtype --dst-type LOCAL -j DNAT
+        --to-destination *youripaddress*:14580
+
+    root@box:~# iptables -t nat -A OUTPUT -d *youripaddress*
+        -p tcp --dport 29 -m addrtype --dst-type LOCAL -j DNAT
+        --to-destination *youripaddress*:14580
+
--- a/src/Makefile.in
+++ b/src/Makefile.in
@ -259,7 +259,7 @@ make-rpm: # actually just a reminder of how to do it..
 MARKDOWN=perl ../tools/Markdown.pl
 WEBDOCS=/data/www/hes/html/aprsc
 DOCS=README.md INSTALLING.md BUILDING.md CONFIGURATION.md DEBUGGING.md \
-	HOME.md CONTRIBUTING.md
+	HOME.md CONTRIBUTING.md TIPS.md
 DESTDOCS=$(addprefix $(WEBDOCS)/,$(addsuffix .html,$(basename $(DOCS))))
 SRCDOCS=$(addprefix ../doc/,$(DOCS))
 install-webdoc: $(DESTDOCS)