December 29, 2025

Using Port 80/443 without root: Via the Firewall

In Unix/Linux only the root can use ports below 1024. However, listening to the internet is dangerous: If that program has a vulnerability, the bad guys can get root permissions. Therefore, you want to use a way to run the app without root and listen to the below 1024 ports.

There are well known methods:

  • Use setuid and setgid to change the user after binding to the ports.

  • Using a small utility like ttps://github.com/JiriHorky/privbind[privbind] to launch any program non-root but allow it to bind ports.

  • In Linux, grant the CAP_NET_BIND_SERVICE capability to a program.

  • Use Docker or other container systems to bind the port and run under a different user.

피밀
Figure 1. Secret

In this post I’ll use the firewall instead. With a firewall rule routing the below 1024 ports can be redirected to another port. I use iptable, but the same should be possible with nftables.

With the iptable prerouting you can change the port:

HTTP_SRC=80
HTTP_DEST=8080
sudo iptables -t nat -I PREROUTING -p tcp  -i eth0  --dport $HTTP_SRC -j REDIRECT --to-ports $HTTP_DEST

That’s it!!!. This easy rule redirect the traffic to port 80 to port 8080. This rule still needs to be added on Linux startup. Either add it to other existing firewall rules. Or use a small oneshot systemd service to add this rule.

Tags: Unix Linux