How to use IPTables to forward HTTP default port to nodeBB



  • You may wish for several reasons to only have Node.js to serve nodeBB, such as

    • Saving the RAM consumption by running one less service as you won't use Nginx or Apache
    • Having all the functionalities by using websocket, as Nginx < 1.2 does not support it

    But you also can't bind Node.js to port 80 without root privileges, and for security reasons, it's recommended not to.

    If you don't plan to use multiple virtual hosts, then I have a solution for you.

    Port forwarding using iptables

    sudo iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
    sudo iptables -A INPUT -i eth0 -p tcp --dport 4567 -j ACCEPT
    sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 4567
    

    This redirects port 80 of eth0 to port 4567.

    The advantage of doing this are the following

    iptables port forwarding is significantly lighter weight than proxifying using nginx or anything else. Iptables port forwarding merely changes the destination header in the packets and delivers them, meaning it's a layer 3 fix, as well as happening in kernel space.
    Using nginx as a proxy is a layer 7 fix, meaning it's much more complex, as well as happening in user space.

    • More secure as you now have 0 program with root privilege handling HTTP traffic
    • Better performance, Node.js event handling is faster than Nginx one, and I'm not even talking about Node.js vs Nginx reverse proxifying Node.js...

    The first drawback I noticed while doing this is that nodeBB is for now not able to handle SSL/TLS on its own, or at least be configured with an SSL certificate. I could be wrong here, but I found nothing relevant on this subject.

    To remove the iptables packet forwarding, say to install Nginx to handle SSL/TLS (HTTPS) and SPDY HTTP/2

    sudo iptables -t filter -D INPUT 1
    sudo iptables -t filter -D INPUT 1
    sudo iptables -t nat -D PREROUTING 1
    

    I'm posting this tutorial as I found nothing very clear on how to do it,
    hope it helps.



  • But to be honest, it's less RAM consumptions against slower static files serving. Is it really better?

    Nginx other than SSL also does gzip, load balancing, caching and a lot of other fancy stuff.

    I could not imagine my life without nginx at the moment :P


  • Admin

    Nice tutorial! Good to know iptables can be used to forward ports like this.

    I do believe NodeBB can be configured to terminate SSL certificates, but it hasn't been done in awhile because we much prefer nginx :smile:


Log in to reply
 

Looks like your connection to NodeBB was lost, please wait while we try to reconnect.