Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Need help with iptables

Hybrid View

  1. #1
    Associate
    Join Date
    Apr 2008
    Posts
    11

    Need help with iptables

    Good Afternoon people, i am having some question about iptables since my teacher wanted mi to build a web application to help end-usser configure the iptables of a Linux-based OS running on Vmware workstation v6. i was kind of puzzled since i do not know how to start. He was implying mi to build it using php language and apache2 to create it and since php supports remote terminal, is it possible that one can login remotely to configure the iptables on the Linux machine.

    Can some kind souls help mi with this

    A thousand thanks

  2. #2
    Moderator
    Advisor
    redhead's Avatar
    Join Date
    Jun 2001
    Location
    Copenhagen, Denmark
    Posts
    811
    Configuring iptables requires root access, this is not a valid solution for a web-controled app, and your teacher should know that running PHP/Apache solutions with root privileges are very bad.
    Don't worry Ma'am. We're university students, - We know what We're doing.
    'Ruiat coelum, fiat voluntas tua.'
    Datalogi - en livsstil; Intet liv, ingen stil.

  3. #3
    Associate
    Join Date
    Apr 2008
    Posts
    11
    Then is there no way out of this except configuring it using GUI tools like firestarter and stuffs. He just wanted something more interactive for end user. hmm i think hes making things hard for us without knowing the solution himself sad

  4. #4
    Associate
    Join Date
    Apr 2008
    Posts
    11
    I think that i have read about the issue: only root user can execute iptables and i found this website that i believe would allow access to iptables remotely allowing apache to run root w/o using a password? but is it a good way?

    Link:
    http://lunaticantics.blogspot.com/20...-with-php.html

    oh yah i am New to ubuntu also , alot more things to learn for the next 5 weeks b4 submission, hope that it will work out fine
    Thanks for your time

  5. #5
    Moderator
    Advisor
    redhead's Avatar
    Join Date
    Jun 2001
    Location
    Copenhagen, Denmark
    Posts
    811
    Just to clarify my earlier statement, a small quote from the article
    Code:
    apache ALL = (root) NOPASSWD: /sbin/iptables

    This gives apache the ability to run the iptables command without the need for a passwork. Shock! Horror! Isn't that a security problem?

    Well, not really, the addition allows apache to run iptables, and that's it, nothing else.
    True it will only allow apache to run iptables as root, but then again anyone and his grandmother will be able to get apache/php to execute something like
    Code:
    iptables -i INPUT -s <your IP> -j ACCEPT
    And the barn door is wide open for you..

    Not that it is impossible to implement some security messures, only allowing a certain host/interface to be the one executing the commands, but I'm just say that relying on making a control interface for something as critical as the controll of your firewall settings, is asking for exploitable holes.
    Don't worry Ma'am. We're university students, - We know what We're doing.
    'Ruiat coelum, fiat voluntas tua.'
    Datalogi - en livsstil; Intet liv, ingen stil.

  6. #6
    Moderator
    Good Guru
    Schotty's Avatar
    Join Date
    Jul 2001
    Location
    Milwaukee, WI
    Posts
    5,760
    Look if you want remote access, use ssh to gain that; that will rend you to a command line. If you are accessing from a host running an X server, you can also setup remote access over the ssh session too to have a gui.

    On Windows, cygwin + ssh + X == remote X for free
    Dunno about the capabilities of puTTY these days. I avoid Windows at all costs. Unless I am getting paid for it, I don't want to touch Windows.

    And if the site that is offering aid to your Apache setup is recommending using that root access to iptables, I would not accept their help ever again. That is the most irresponsible help I have ever read. That is asking to get hacked and owned.

  7. #7
    There are a few things to still accomplish this without risking your system to root hacks. The best way to secure it, is to have a script to run each of your PHP executes. You do not need to run your webserver with root access. Very bad idea. In each script, set them suid, make the owner the apache user, and not readable, just executable and make sure they ONLY accept the commands and arguments you want to execute. The point behind having a script or application handle the system commands, is to have whatever it executes, check the input, check what is being sent, and verify that it is in fact a valid iptables command, and not an entry trying to execute anything else. You can always make sure that it removes the &, and ; from any line that is sent to it. Second, you could set up the variables like so:

    var0 for Add or Remove
    var1 for INPUT or OUTPUT
    var2 for protocol
    var3 for source host
    var4 for source port
    var5 for destination host
    var6 for destination port
    var7 for ACCEPT/DENY/DROP
    var8 for flags

    if var3 in not null
    var3a source netmask

    if var5 is not null
    var5a dest netmask

    I'm only working a few hours of sleep, but a few added functions to check each var, to make sure numbers should be numbers, IPs consist of 4 fields with 3 periods, and so forth so on.

    If you are still interested in doing such, I'll provide some more answers, and something more than some miniscule examples (for instance, this one not taking the MASQ,FORWARD,NAT tables into consideration.

    Another option is to do it completely in python as well. It would be a bit easier in terms of setting up the server (a python based server, like cherry-py, or using py-twsited), and executing commands.
    arrogance breeds ignorance

    Screaming Electron, Full of BSD Goodness

  8. #8
    Associate
    Join Date
    Apr 2008
    Posts
    11
    Thanks Kernel_Killer, redhead, Schotty for the effort to explain so much.

    I think for now i just wanted to create a simple GUI interface to let user select those iptables icons then when they execute it through php, it then passes the information over to the Shell script, with the shell script taking in the parameter from the php, then execute it.

    1. Is this the correct way to get this working?
    2. I Can't seems to get the information back with the shell_exec() when this function surpose to return a string, but i can't get it to display on the web server, is there something that i forgotten to install?
    3. How does the interaction between php and shell script works and get it to display the content upon executing commands like "iptables -L".
    4. But ii found out when i execute this php file on a command line, it works by displaying the content of the "iptables -L", but can't get it to work on apache when i open the http://localhost/test.php.
    i wrote a simple php file and to get it to display on the web server but it returns nothing.

    #test.php


    <?php

    $string = shell_exec(`sudo /sbin/iptables -L`);
    echo $string;


    ?>

    when i go to http://localhost/test.php on the web browser, it returns nothing.



    Sorry, my knowledge on php is still not good enough, hope that i am not wasting your time on this.
    Thanks for the help in advance

  9. #9
    Associate
    Join Date
    Apr 2008
    Posts
    11
    Kernel_killer, is there any sample source codes behind the mapping between de GUI interface with the interacting between executing shell scripts command that configure the kernel's iptables based on the GUI configuration?

  10. #10
    Moderator
    Advisor
    redhead's Avatar
    Join Date
    Jun 2001
    Location
    Copenhagen, Denmark
    Posts
    811
    ...
    I Can't seems to get the information back with the shell_exec() when this function surpose to return a string, but i can't get it to display on the web server, is there something that i forgotten to install?
    ...
    But ii found out when i execute this php file on a command line, it works by displaying the content of the "iptables -L", but can't get it to work on apache when i open the http://localhost/test.php.
    Are you sure you're trying it out under absolute correct conditions ?

    When you manualy executes the line, then you need to act as if you're the apache server, meaning executing it with the correct settings as apache would use, on debian this would be as the "www-data" user.

    You can also turn on error displaying, then you can see if it's the PHP part thats not working correct, try adding
    Code:
    error_reporting(E_ALL); 
    ini_set('display_errors',1); 
    
    befor the shell_exec() call.
    Don't worry Ma'am. We're university students, - We know what We're doing.
    'Ruiat coelum, fiat voluntas tua.'
    Datalogi - en livsstil; Intet liv, ingen stil.

Similar Threads

  1. iptables
    By digitalspy99 in forum Linux - General Topics
    Replies: 1
    Last Post: 08-05-2008, 03:42 AM
  2. GUI for iptables???
    By SwampDonkey in forum Linux - Software, Applications & Programming
    Replies: 2
    Last Post: 12-13-2002, 12:50 PM
  3. Where do iptables go?
    By flashingcurser in forum Linux - Software, Applications & Programming
    Replies: 3
    Last Post: 08-14-2002, 08:37 PM
  4. iptables
    By elovkoff in forum Security
    Replies: 9
    Last Post: 03-19-2002, 02:23 PM
  5. IPTables
    By MrMoray in forum Linux - Software, Applications & Programming
    Replies: 3
    Last Post: 12-18-2001, 08:31 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •