OrionSupport, Running Orion behind Port Forwarding

Running Orion behind Port Forwarding

Written by Joseph Ottinger

In a unix system, the ports below 1025 are privileged, which means daemons (like Orion) need to run with root privileges. Most administrators don't want that. Below is a simple solution to be able to receive requests on the standard http port 80 yet to run orion as unprivileged user.

This description assumes:

a Linux server based on kernel 2.4.x or higher
Orion installed, with a default web application
an unprivileged user to (ab)use (I'll use debian's www-data)

To make orion listen on a different port then the default (80), modify $ORION_HOME/config/default-web-site.xml as follows:

<web-site host="[ALL]" port="8888" display-name="Default Orion WebSite">

    <frontend port="80" />

...

</web-site>

After the change, start orion as unprivileged user:

cd $ORION_HOME

sudo -u www-data ${JAVA_HOME}/bin/java -jar orion.jar &

Orion now listens on port 8888 for incoming requests.

To have orion answer port 80 requests these must be forwarded to the proper port.

With linux kernel 2.4.x+ that's easy with iptables:

iptables -t nat -A PREROUTING -p tcp -d $SITE_IP --dport 80 \

    -j REDIRECT --to-port 8888

iptables -t nat -A PREROUTING -p udp -d $SITE_IP --dport 80 \

    -j REDIRECT --to-port 8888

iptables -A INPUT -p tcp -d $SITE_IP --dport 8888 -j ACCEPT

iptables -A INPUT -p udp -d $SITE_IP --dport 8888 -j ACCEPT

If all went well, connections to the default web site should now yield the desired result.