php and iptables

hkerssies · 09-08-2003, 03:05 PM

I have a question about php and a batch program that uses iptables.
This is what i want to do:
A web page with a button that add's a iptable rule or delete's a rule.
I have a script but you have to be root to use iptables.
i have tried to set the suid bit and now the file has rxsrxsr-x root:root
but stil has the problem that it is apache and not root who run's it.

What I want is turn the internet on and off in different subnets of the network. If there is an easy'er way for doing this with a webpage please gif me a hand.
Thanks for your time in dealing with this problem
Hans (Holland)

KendersPlace · 09-08-2003, 04:03 PM

I played with this same problem a few months back - using php via apache to open and close ports in a remote firewall so I didn't have to hand out root level ssh logins to the "part time" web admins.

It was a challenge, but here's what I did... (RedHat 8, but you should be able to figure it out for whatever distro you use).

Edit your "sudoers" file. /etc/sudoers
Add this entry at the bottom:

apache ALL=NOPASSWD: /sbin/iptables

This will allow apache user to issue commands to iptables.

Then, write your php script like this...

PHP Code:



// Build the rule 
$open_rule = "iptables -A TABLENAME -s 123.123.123.123 -j ACCEPT"; 
 
// Execute the rule on the system 
`$open_rule`;

Each time this script is executed, you will see an entry showing what was executed in your /var/log/secure log so you can keep an eye on what's happening.

As a side note and a tip... I also include in my script a piece that will write each "open rule" to a MySQL table. Then, to reverse the rule, all I have to do is read the entry from the table, replace the "-A" with "-D" and issue the same command again, and it will delete the rule from iptables, so I can easily open, then turn around and close the remote ports easily.

I'm sure you could use the same logic to run "iptables -L" and display the current firewall configuration on a web page for the user to see also for remote management, though I've never actually tried this.

Hope that helps. Took me about 2 or 3 days to figure this out on my own.

hkerssies · 09-09-2003, 04:51 AM

I did this:
Edit your "sudoers" file. /etc/sudoers
Add this entry at the bottom:

apache ALL=NOPASSWD: /sbin/iptables

This will allow apache user to issue commands to iptables.

and i added an user hans so that I can test this faster but still I can't execute iptables as user hans.

Did you changed the permissions on the file iptable or is the owner still root?

It's nice that it works this gifs me hope it will work in the nearby future.

wytcld · 10-22-2003, 02:14 PM

Great idea.

The sketch of a php script from Kenders was not fleshed out. A working script looks more like:

Code:

<?php

$command="iptables -t nat -I PREROUTING -p tcp -s " .  $_SERVER['REMOTE_ADDR'] . " -d 123.123.123.123 --dport 22 -j DNAT --to 192.168.1.1";
exec ("sudo $command");
?>

This example is DNAT'ing a remote user to port 22 on an internal machine after they log into the page (which is password protected on Apache/Mod-SSL). Of course, you probably want to do something different.