providing partial access to iptables for non root user

providing partial access to iptables for non root user

[Michael Jürgens]

Hi,

I´m looking for a solution to provide a non root user write access to a
chain.

In this special case I have to provide the a mechanism to block some ip
adresses to connect to http.
But this should be done by a non root user. The non root user should not
change any other rule.

Any ideas?

regards,
Michael

Re: providing partial access to iptables for non root user

[Chris Brenton]

On Mon, 2005-02-21 at 06:33, Michael Jürgens wrote:
> 
> I´m looking for a solution to provide a non root user write access to a 
> chain.

I've written up some stuff using sudo in order to create an auditing
trail. You can read about it here:

http://www.loganalysis.org/sections/parsing/application-specific/firewall-logging.html#iptables

> his special case I have to provide the a mechanism to block some ip 
> adresses to connect to http.
> But this should be done by a non root user. The non root user should not 
> change any other rule.

The problem is you can not set permissions to different iptables
switches. So granting a person access to the binary implies they will be
able to do pretty much anything they want.

You might be able to create a front end that accepts just an IP address,
and then the back end fills out the rest of the command, but you would
need really good data scrubbing to ensure that only IP addresses are
accepted, not command line switches. You would also need to ensure that
the user does not have direct access to the binary.

HTH,
Chris

Re: providing partial access to iptables for non root user

[Jason Opperisano]

On Mon, 2005-02-21 at 06:33, Michael Jürgens wrote:
> Hi,
> 
> I´m looking for a solution to provide a non root user write access to a 
> chain.
> 
> In this special case I have to provide the a mechanism to block some ip 
> adresses to connect to http.
> But this should be done by a non root user. The non root user should not 
> change any other rule.
> 
> Any ideas?

use sudo?

Host_Alias      LOCALHOST = thishostname

User_Alias	U_HTTP	= youruser

Cmnd_Alias	C_HTTP	= /sbin/iptables -A blockhttp -s * -j DROP

U_HTTP		LOCALHOST = C_HTTP

...or if is this is scripted:

U_HTTP		LOCALHOST = NOPASSWD: C_HTTP

obviously--there's opportunity for abuse here--but it's the best i've
come up with.  if you front-end this with a script, it will allow you to
scrub/check/validate the input much more extensively (which is what i
actually do).

-j

--
"Oh look at me! I'm making people happy! I'm the magical man from
 Happyland, in a gumdrop house on Lollipop Lane!"
	--The Simpsons

Re: providing partial access to iptables for non root user

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 701 bytes --]

On Mon, 2005-02-21 at 09:29 -0500, Jason Opperisano wrote:
> On Mon, 2005-02-21 at 06:33, Michael Jürgens wrote:
> > Hi,
> > 
> > I´m looking for a solution to provide a non root user write access to a 
> > chain.
> > 
> > In this special case I have to provide the a mechanism to block some ip 
> > adresses to connect to http.
> > But this should be done by a non root user. The non root user should not 
> > change any other rule.
> > 
> > Any ideas?
> 

Why not to use a conf file with proper right ?
selected user could add rules in the script that will be automatically
inserted into the firewall via a cron task or a sudo script ?

BR,
-- 
Eric Leblond <eric@inl.fr>
INL

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]