From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Allan Kissack" Subject: Re: iptables from cgi script Date: Tue, 3 Jun 2003 07:28:15 -0000 Sender: netfilter-admin@lists.netfilter.org Message-ID: <001a01c329a1$b28d8b40$2c00a8c0@local.net> References: <09B04A55822EFF4DA48D2E0BB2941D4A0D6D8B@wardrive.citadelcomputer.com.au> Reply-To: "Allan Kissack" Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: George Vieira , netfilter@lists.netfilter.org >----- Original Message ----- >From: "George Vieira" >To: "Allan Kissack" ; >Sent: Monday, June 02, 2003 10:33 PM >Subject: RE: iptables from cgi script > > No your not missing anything.. But I like this idea for the fact that someone who wants to maliciously attack your site and also open your firewall if the commands can be run by other than root.. > > Your only (more secure) option is to authenticate the users and allow them to write the rules required to a file or a database and get root to read these and apply them in a seperate process.. > > > or just use webmin ;) www.webmin.com > > Thanks, > ____________________________________________ > George Vieira Thanks George, I already use webmin for admin, and write the rules via a command line. What I am looking for is a cgi script that displays the results of /sbin/iptables -L -n -v and allows no other iptables commands. This web server is protected from the outside by the iptables and is for convenient monitoring internally (ie dont need to go to a command line). Do you knwo of a way I can allow this? The script works except for the "can't initialize iptables table `filter': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded." security issue -- Allan