queries

queries

[Vijay Saha, Noida]

Hi
I have got few querries related to my project.
I have got a Linux m/c with two network interfaces...wireless LAN (Aironet)
as "eth0" and GPRS PC card as "ppp0" .
I have to implement seamless roaming, so what I want to achieve is that by
default I would be connected to wireless LAN interface and as soon as Access
Point signal strength weakens, I have to switch dynamically to "ppp"
interface.The "ppp" interface accepts the AT command sets for connecting to
GPRS network.
I have two approaches:-

1) An alternative is using bridge as a virtual interface which enslaves
"eth0" and "ppp0" ...where the logic of bridging will be modified. We shall
continuosly check the "eth0" signal strength and if it weakens switch to the
"ppp0" within the bridge module logic. The advantage here is that the
application layer always bind with the same virtual bridge device "br0".
The disadvantage,probably, would be to translate between the Ethernet and
PPP frames within bridging module..??

2) How do I get switch to the ppp0 interface dynamically??
Can I accomplish my goal just by modifying the Kernel FIB default interface
dynamically and flushing the routing cache table of Linux as per the
connectivity??? Will the previous session be maintained after I increase the
kernel TCP/UDP Timeout values ..??
I am using the SIOCADDRT/SIOCDELRT to modify the default route in IP routing
table dynamically.'
But this approach has got some issues while handover... will the session be
maintained??
"qdisc" related problems???

netfilters can help in solving the problesm related to second approach...
Can you help me..??

Any suggestions are welcome.
Anticipating a reply
thanks and regards
Vijay

iptables from cgi script

[Allan Kissack]

I used to be able to list my rules via a cgi script but since moving to
redhat 9 (iptables 1.2.7a) it fails. The reson given is "can't initialize
iptables table `filter': Permission denied (you must be root) Perhaps
iptables or your kernel needs to be upgraded." which is absolutley accurate
(because I get this logging in as a local user and running /sbin/iptables -L
too) - but I need to know how to achieve this.
I tried altering the group on /sbin and /sbin/iptables and adding my local
user to that, but still it fails.

Am I missing something really obvious?  Either way, your assistance/advice
is welcome.

Thanks

--
Allan

RE: iptables from cgi script

[George Vieira]

No your not missing anything.. But I like this idea for the fact that someone who wants to maliciously attack your site and also open your firewall if the commands can be run by other than root..

Your only (more secure) option is to authenticate the users and allow them to write the rules required to a file or a database and get root to read these and apply them in a seperate process..


or just use webmin ;) www.webmin.com

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

Phone   : +61 2 9955 2644
HelpDesk: +61 2 9955 2698
 

-----Original Message-----
From: Allan Kissack [mailto:lists@kissack.freeserve.co.uk]
Sent: Monday, June 02, 2003 5:35 PM
To: netfilter@lists.netfilter.org
Subject: iptables from cgi script


I used to be able to list my rules via a cgi script but since moving to
redhat 9 (iptables 1.2.7a) it fails. The reson given is "can't initialize
iptables table `filter': Permission denied (you must be root) Perhaps
iptables or your kernel needs to be upgraded." which is absolutley accurate
(because I get this logging in as a local user and running /sbin/iptables -L
too) - but I need to know how to achieve this.
I tried altering the group on /sbin and /sbin/iptables and adding my local
user to that, but still it fails.

Am I missing something really obvious?  Either way, your assistance/advice
is welcome.

Thanks

--
Allan

Re: iptables from cgi script

[Allan Kissack]

>----- Original Message -----
>From: "George Vieira" <georgev@citadelcomputer.com.au>
>To: "Allan Kissack" <lists@kissack.freeserve.co.uk>;
<netfilter@lists.netfilter.org>
>Sent: Monday, June 02, 2003 10:33 PM
>Subject: RE: iptables from cgi script
>

> No your not missing anything.. But I like this idea for the fact that
someone who wants to maliciously attack your site and also open your
firewall if the commands can be run by other than root..
>
> Your only (more secure) option is to authenticate the users and allow them
to write the rules required to a file or a database and get root to read
these and apply them in a seperate process..
>
>
> or just use webmin ;) www.webmin.com
>
> Thanks,
> ____________________________________________
> George Vieira


Thanks George,
I already use webmin for admin, and write the rules via a command line.
What I am looking for is a cgi script that displays the results of
/sbin/iptables -L -n -v and allows no other iptables commands.  This web
server is protected from the outside by the iptables and is for convenient
monitoring internally (ie dont need to go to a command line).  Do you knwo
of a way I can allow this?  The script works except for the "can't
initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded."  security issue

--
Allan

Re: iptables from cgi script

[Arnt Karlsen]

On Tue, 3 Jun 2003 07:28:15 -0000, 
"Allan Kissack" <lists@kissack.freeserve.co.uk> wrote in message 
<001a01c329a1$b28d8b40$2c00a8c0@local.net>:

> >----- Original Message -----
> >From: "George Vieira" <georgev@citadelcomputer.com.au>
> >To: "Allan Kissack" <lists@kissack.freeserve.co.uk>;
> <netfilter@lists.netfilter.org>
> >Sent: Monday, June 02, 2003 10:33 PM
> >Subject: RE: iptables from cgi script
> >
> 
> > No your not missing anything.. But I like this idea for the fact
> > that
> someone who wants to maliciously attack your site and also open your
> firewall if the commands can be run by other than root..
> >
> > Your only (more secure) option is to authenticate the users and
> > allow them
> to write the rules required to a file or a database and get root to
> read these and apply them in a seperate process..
> >
> >
> > or just use webmin ;) www.webmin.com
> >
> > Thanks,
> > ____________________________________________
> > George Vieira
> 
> 
> Thanks George,
> I already use webmin for admin, and write the rules via a command
> line. What I am looking for is a cgi script that displays the results
> of/sbin/iptables -L -n -v and allows no other iptables commands.  This
> web server is protected from the outside by the iptables and is for
> convenient monitoring internally (ie dont need to go to a command
> line).  Do you knwo of a way I can allow this?  The script works
> except for the "can't initialize iptables table `filter': Permission
> denied (you must be root) Perhaps iptables or your kernel needs to be
> upgraded."  security issue

..set up a cron job to a script to echo header > $web-page,
then run your iptables command output >> $web-page, finally
echo footer >> $web-page.  Oh, you want it somewhere remotely?  
Wget it.

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

Re: iptables from cgi script

[Allan Kissack]

----- Original Message -----
From: "George Vieira" <georgev@citadelcomputer.com.au>
To: "Allan Kissack" <lists@kissack.freeserve.co.uk>;
<netfilter@lists.netfilter.org>
Sent: Monday, June 02, 2003 10:33 PM
Subject: RE: iptables from cgi script


> No your not missing anything.. But I like this idea for the fact that
someone who wants to maliciously attack your site and also open your
firewall if the commands can be run by other than root..
>
> Your only (more secure) option is to authenticate the users and allow them
to write the rules required to a file or a database and get root to read
these and apply them in a seperate process..
>
>
> or just use webmin ;) www.webmin.com
>
> Thanks,
> ____________________________________________
> George Vieira
> Systems Manager
> georgev@citadelcomputer.com.au
>
> Citadel Computer Systems Pty Ltd
> http://www.citadelcomputer.com.au
>
> Phone   : +61 2 9955 2644
> HelpDesk: +61 2 9955 2698
>
>
> -----Original Message-----
> From: Allan Kissack [mailto:lists@kissack.freeserve.co.uk]
> Sent: Monday, June 02, 2003 5:35 PM
> To: netfilter@lists.netfilter.org
> Subject: iptables from cgi script
>
>
> I used to be able to list my rules via a cgi script but since moving to
> redhat 9 (iptables 1.2.7a) it fails. The reason given is "can't initialize
> iptables table `filter': Permission denied (you must be root) Perhaps
> iptables or your kernel needs to be upgraded." which is absolutely
accurate
> (because I get this logging in as a local user and running
/sbin/iptables -L
> too) - but I need to know how to achieve this.
> I tried altering the group on /sbin and /sbin/iptables and adding my local
> user to that, but still it fails.
>
> Am I missing something really obvious?  Either way, your assistance/advice
> is welcome.
>
> Thanks
>
> --
> Allan
>
>
>
>
>
>
>

RE: iptables from cgi script

[George Vieira]

run a crontab which updates a file... eg.

#vi /etc/crontab
*/5 * * * * root /sbin/iptables -L -v -n -x > /home/httpd/html/iptablesrules.txt

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au
 

-----Original Message-----
From: Allan Kissack [mailto:lists@kissack.freeserve.co.uk]
Sent: Tuesday, June 03, 2003 5:28 PM
To: George Vieira; netfilter@lists.netfilter.org
Subject: Re: iptables from cgi script


>----- Original Message -----
>From: "George Vieira" <georgev@citadelcomputer.com.au>
>To: "Allan Kissack" <lists@kissack.freeserve.co.uk>;
<netfilter@lists.netfilter.org>
>Sent: Monday, June 02, 2003 10:33 PM
>Subject: RE: iptables from cgi script
>

> No your not missing anything.. But I like this idea for the fact that
someone who wants to maliciously attack your site and also open your
firewall if the commands can be run by other than root..
>
> Your only (more secure) option is to authenticate the users and allow them
to write the rules required to a file or a database and get root to read
these and apply them in a seperate process..
>
>
> or just use webmin ;) www.webmin.com
>
> Thanks,
> ____________________________________________
> George Vieira


Thanks George,
I already use webmin for admin, and write the rules via a command line.
What I am looking for is a cgi script that displays the results of
/sbin/iptables -L -n -v and allows no other iptables commands.  This web
server is protected from the outside by the iptables and is for convenient
monitoring internally (ie dont need to go to a command line).  Do you knwo
of a way I can allow this?  The script works except for the "can't
initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded."  security issue

--
Allan