Reply With QuoteConfiguring iptables requires root access, this is not a valid solution for a web-controled app, and your teacher should know that running PHP/Apache solutions with root privileges are very bad.
Good Afternoon people, i am having some question about iptables since my teacher wanted mi to build a web application to help end-usser configure the iptables of a Linux-based OS running on Vmware workstation v6. i was kind of puzzled since i do not know how to start. He was implying mi to build it using php language and apache2 to create it and since php supports remote terminal, is it possible that one can login remotely to configure the iptables on the Linux machine.
Can some kind souls help mi with this
A thousand thanks
Configuring iptables requires root access, this is not a valid solution for a web-controled app, and your teacher should know that running PHP/Apache solutions with root privileges are very bad.
Don't worry Ma'am. We're university students, - We know what We're doing.
'Ruiat coelum, fiat voluntas tua.'Datalogi - en livsstil; Intet liv, ingen stil.
Then is there no way out of this except configuring it using GUI tools like firestarter and stuffs. He just wanted something more interactive for end user. hmm i think hes making things hard for us without knowing the solution himself sad
I think that i have read about the issue: only root user can execute iptables and i found this website that i believe would allow access to iptables remotely allowing apache to run root w/o using a password? but is it a good way?
Link:
http://lunaticantics.blogspot.com/20...-with-php.html
oh yah i am New to ubuntu also , alot more things to learn for the next 5 weeks b4 submission, hope that it will work out fine
Thanks for your time
Just to clarify my earlier statement, a small quote from the articleTrue it will only allow apache to run iptables as root, but then again anyone and his grandmother will be able to get apache/php to execute something likeCode:apache ALL = (root) NOPASSWD: /sbin/iptables
This gives apache the ability to run the iptables command without the need for a passwork. Shock! Horror! Isn't that a security problem?
Well, not really, the addition allows apache to run iptables, and that's it, nothing else.And the barn door is wide open for you..Code:iptables -i INPUT -s <your IP> -j ACCEPT
Not that it is impossible to implement some security messures, only allowing a certain host/interface to be the one executing the commands, but I'm just say that relying on making a control interface for something as critical as the controll of your firewall settings, is asking for exploitable holes.
Don't worry Ma'am. We're university students, - We know what We're doing.
'Ruiat coelum, fiat voluntas tua.'Datalogi - en livsstil; Intet liv, ingen stil.
Look if you want remote access, use ssh to gain that; that will rend you to a command line. If you are accessing from a host running an X server, you can also setup remote access over the ssh session too to have a gui.
On Windows, cygwin + ssh + X == remote X for free
Dunno about the capabilities of puTTY these days. I avoid Windows at all costs. Unless I am getting paid for it, I don't want to touch Windows.
And if the site that is offering aid to your Apache setup is recommending using that root access to iptables, I would not accept their help ever again. That is the most irresponsible help I have ever read. That is asking to get hacked and owned.
There are a few things to still accomplish this without risking your system to root hacks. The best way to secure it, is to have a script to run each of your PHP executes. You do not need to run your webserver with root access. Very bad idea. In each script, set them suid, make the owner the apache user, and not readable, just executable and make sure they ONLY accept the commands and arguments you want to execute. The point behind having a script or application handle the system commands, is to have whatever it executes, check the input, check what is being sent, and verify that it is in fact a valid iptables command, and not an entry trying to execute anything else. You can always make sure that it removes the &, and ; from any line that is sent to it. Second, you could set up the variables like so:
var0 for Add or Remove
var1 for INPUT or OUTPUT
var2 for protocol
var3 for source host
var4 for source port
var5 for destination host
var6 for destination port
var7 for ACCEPT/DENY/DROP
var8 for flags
if var3 in not null
var3a source netmask
if var5 is not null
var5a dest netmask
I'm only working a few hours of sleep, but a few added functions to check each var, to make sure numbers should be numbers, IPs consist of 4 fields with 3 periods, and so forth so on.
If you are still interested in doing such, I'll provide some more answers, and something more than some miniscule examples (for instance, this one not taking the MASQ,FORWARD,NAT tables into consideration.
Another option is to do it completely in python as well. It would be a bit easier in terms of setting up the server (a python based server, like cherry-py, or using py-twsited), and executing commands.
Thanks Kernel_Killer, redhead, Schotty for the effort to explain so much.
I think for now i just wanted to create a simple GUI interface to let user select those iptables icons then when they execute it through php, it then passes the information over to the Shell script, with the shell script taking in the parameter from the php, then execute it.
i wrote a simple php file and to get it to display on the web server but it returns nothing.
- Is this the correct way to get this working?
- I Can't seems to get the information back with the shell_exec() when this function surpose to return a string, but i can't get it to display on the web server, is there something that i forgotten to install?
- How does the interaction between php and shell script works and get it to display the content upon executing commands like "iptables -L".
- But ii found out when i execute this php file on a command line, it works by displaying the content of the "iptables -L", but can't get it to work on apache when i open the http://localhost/test.php.
#test.php
<?php
$string = shell_exec(`sudo /sbin/iptables -L`);
echo $string;
?>
when i go to http://localhost/test.php on the web browser, it returns nothing.
Sorry, my knowledge on php is still not good enough, hope that i am not wasting your time on this.
Thanks for the help in advance
Kernel_killer, is there any sample source codes behind the mapping between de GUI interface with the interacting between executing shell scripts command that configure the kernel's iptables based on the GUI configuration?
Are you sure you're trying it out under absolute correct conditions ?...
I Can't seems to get the information back with the shell_exec() when this function surpose to return a string, but i can't get it to display on the web server, is there something that i forgotten to install?
...
But ii found out when i execute this php file on a command line, it works by displaying the content of the "iptables -L", but can't get it to work on apache when i open the http://localhost/test.php.
When you manualy executes the line, then you need to act as if you're the apache server, meaning executing it with the correct settings as apache would use, on debian this would be as the "www-data" user.
You can also turn on error displaying, then you can see if it's the PHP part thats not working correct, try addingbefor the shell_exec() call.Code:error_reporting(E_ALL); ini_set('display_errors',1);
Don't worry Ma'am. We're university students, - We know what We're doing.
'Ruiat coelum, fiat voluntas tua.'Datalogi - en livsstil; Intet liv, ingen stil.
Posting Permissions
Bookmarks