iptables from cgi script

iptables from cgi script

[Allan Kissack]

I used to be able to list my rules via a cgi script but since moving to
redhat 9 (iptables 1.2.7a) it fails. The reson given is "can't initialize
iptables table `filter': Permission denied (you must be root) Perhaps
iptables or your kernel needs to be upgraded." which is absolutley accurate
(because I get this logging in as a local user and running /sbin/iptables -L
too) - but I need to know how to achieve this.
I tried altering the group on /sbin and /sbin/iptables and adding my local
user to that, but still it fails.

Am I missing something really obvious?  Either way, your assistance/advice
is welcome.

Thanks

--
Allan

RE: iptables from cgi script

[George Vieira]

No your not missing anything.. But I like this idea for the fact that someone who wants to maliciously attack your site and also open your firewall if the commands can be run by other than root..

Your only (more secure) option is to authenticate the users and allow them to write the rules required to a file or a database and get root to read these and apply them in a seperate process..


or just use webmin ;) www.webmin.com

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

Phone   : +61 2 9955 2644
HelpDesk: +61 2 9955 2698
 

-----Original Message-----
From: Allan Kissack [mailto:lists@kissack.freeserve.co.uk]
Sent: Monday, June 02, 2003 5:35 PM
To: netfilter@lists.netfilter.org
Subject: iptables from cgi script


I used to be able to list my rules via a cgi script but since moving to
redhat 9 (iptables 1.2.7a) it fails. The reson given is "can't initialize
iptables table `filter': Permission denied (you must be root) Perhaps
iptables or your kernel needs to be upgraded." which is absolutley accurate
(because I get this logging in as a local user and running /sbin/iptables -L
too) - but I need to know how to achieve this.
I tried altering the group on /sbin and /sbin/iptables and adding my local
user to that, but still it fails.

Am I missing something really obvious?  Either way, your assistance/advice
is welcome.

Thanks

--
Allan

RE: iptables from cgi script

[George Vieira]

run a crontab which updates a file... eg.

#vi /etc/crontab
*/5 * * * * root /sbin/iptables -L -v -n -x > /home/httpd/html/iptablesrules.txt

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au
 

-----Original Message-----
From: Allan Kissack [mailto:lists@kissack.freeserve.co.uk]
Sent: Tuesday, June 03, 2003 5:28 PM
To: George Vieira; netfilter@lists.netfilter.org
Subject: Re: iptables from cgi script


>----- Original Message -----
>From: "George Vieira" <georgev@citadelcomputer.com.au>
>To: "Allan Kissack" <lists@kissack.freeserve.co.uk>;
<netfilter@lists.netfilter.org>
>Sent: Monday, June 02, 2003 10:33 PM
>Subject: RE: iptables from cgi script
>

> No your not missing anything.. But I like this idea for the fact that
someone who wants to maliciously attack your site and also open your
firewall if the commands can be run by other than root..
>
> Your only (more secure) option is to authenticate the users and allow them
to write the rules required to a file or a database and get root to read
these and apply them in a seperate process..
>
>
> or just use webmin ;) www.webmin.com
>
> Thanks,
> ____________________________________________
> George Vieira


Thanks George,
I already use webmin for admin, and write the rules via a command line.
What I am looking for is a cgi script that displays the results of
/sbin/iptables -L -n -v and allows no other iptables commands.  This web
server is protected from the outside by the iptables and is for convenient
monitoring internally (ie dont need to go to a command line).  Do you knwo
of a way I can allow this?  The script works except for the "can't
initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded."  security issue

--
Allan

Re: iptables from cgi script

[Allan Kissack]

>----- Original Message -----
>From: "George Vieira" <georgev@citadelcomputer.com.au>
>To: "Allan Kissack" <lists@kissack.freeserve.co.uk>;
<netfilter@lists.netfilter.org>
>Sent: Monday, June 02, 2003 10:33 PM
>Subject: RE: iptables from cgi script
>

> No your not missing anything.. But I like this idea for the fact that
someone who wants to maliciously attack your site and also open your
firewall if the commands can be run by other than root..
>
> Your only (more secure) option is to authenticate the users and allow them
to write the rules required to a file or a database and get root to read
these and apply them in a seperate process..
>
>
> or just use webmin ;) www.webmin.com
>
> Thanks,
> ____________________________________________
> George Vieira


Thanks George,
I already use webmin for admin, and write the rules via a command line.
What I am looking for is a cgi script that displays the results of
/sbin/iptables -L -n -v and allows no other iptables commands.  This web
server is protected from the outside by the iptables and is for convenient
monitoring internally (ie dont need to go to a command line).  Do you knwo
of a way I can allow this?  The script works except for the "can't
initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded."  security issue

--
Allan

Re: iptables from cgi script

[Allan Kissack]

----- Original Message -----
From: "George Vieira" <georgev@citadelcomputer.com.au>
To: "Allan Kissack" <lists@kissack.freeserve.co.uk>;
<netfilter@lists.netfilter.org>
Sent: Monday, June 02, 2003 10:33 PM
Subject: RE: iptables from cgi script


> No your not missing anything.. But I like this idea for the fact that
someone who wants to maliciously attack your site and also open your
firewall if the commands can be run by other than root..
>
> Your only (more secure) option is to authenticate the users and allow them
to write the rules required to a file or a database and get root to read
these and apply them in a seperate process..
>
>
> or just use webmin ;) www.webmin.com
>
> Thanks,
> ____________________________________________
> George Vieira
> Systems Manager
> georgev@citadelcomputer.com.au
>
> Citadel Computer Systems Pty Ltd
> http://www.citadelcomputer.com.au
>
> Phone   : +61 2 9955 2644
> HelpDesk: +61 2 9955 2698
>
>
> -----Original Message-----
> From: Allan Kissack [mailto:lists@kissack.freeserve.co.uk]
> Sent: Monday, June 02, 2003 5:35 PM
> To: netfilter@lists.netfilter.org
> Subject: iptables from cgi script
>
>
> I used to be able to list my rules via a cgi script but since moving to
> redhat 9 (iptables 1.2.7a) it fails. The reason given is "can't initialize
> iptables table `filter': Permission denied (you must be root) Perhaps
> iptables or your kernel needs to be upgraded." which is absolutely
accurate
> (because I get this logging in as a local user and running
/sbin/iptables -L
> too) - but I need to know how to achieve this.
> I tried altering the group on /sbin and /sbin/iptables and adding my local
> user to that, but still it fails.
>
> Am I missing something really obvious?  Either way, your assistance/advice
> is welcome.
>
> Thanks
>
> --
> Allan
>
>
>
>
>
>
>

Re: iptables from cgi script

[Arnt Karlsen]

On Tue, 3 Jun 2003 07:28:15 -0000, 
"Allan Kissack" <lists@kissack.freeserve.co.uk> wrote in message 
<001a01c329a1$b28d8b40$2c00a8c0@local.net>:

> >----- Original Message -----
> >From: "George Vieira" <georgev@citadelcomputer.com.au>
> >To: "Allan Kissack" <lists@kissack.freeserve.co.uk>;
> <netfilter@lists.netfilter.org>
> >Sent: Monday, June 02, 2003 10:33 PM
> >Subject: RE: iptables from cgi script
> >
> 
> > No your not missing anything.. But I like this idea for the fact
> > that
> someone who wants to maliciously attack your site and also open your
> firewall if the commands can be run by other than root..
> >
> > Your only (more secure) option is to authenticate the users and
> > allow them
> to write the rules required to a file or a database and get root to
> read these and apply them in a seperate process..
> >
> >
> > or just use webmin ;) www.webmin.com
> >
> > Thanks,
> > ____________________________________________
> > George Vieira
> 
> 
> Thanks George,
> I already use webmin for admin, and write the rules via a command
> line. What I am looking for is a cgi script that displays the results
> of/sbin/iptables -L -n -v and allows no other iptables commands.  This
> web server is protected from the outside by the iptables and is for
> convenient monitoring internally (ie dont need to go to a command
> line).  Do you knwo of a way I can allow this?  The script works
> except for the "can't initialize iptables table `filter': Permission
> denied (you must be root) Perhaps iptables or your kernel needs to be
> upgraded."  security issue

..set up a cron job to a script to echo header > $web-page,
then run your iptables command output >> $web-page, finally
echo footer >> $web-page.  Oh, you want it somewhere remotely?  
Wget it.

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.