Currently I have a little fedora box doing my routing at home. It secure, fast and powerful, but I need a easy way to forward ports to local machines.

There are two network cards, eth0 and eth1. eth0 is the internet, eth1 is local net with subnet 192.168.100.XXX

I wrote out a little script in PHP to forward ports to it, but in order for PHP (which is on top of Apache, which runs as user apache) to interface with iptables, I needed to add apache to the sudoers file, and use exec() to sudo and execute the iptables command as root.

As you can guess, this is horribly insecure and i'm hoping there was a cleaner or more elegant way to do it. I've seen scripts like the babel.com.au/phpfwgen/ that can do it, i'm not sure how they do it. I tried to go through their code, but its so dirty and hard to follow I gave up after a few hours.

Any thoughts?

thanks

--AtomicFire

If you need to perform some selective piviliged actions from apache level, I'd recommend writing a simple daemon that runs with the privileges you need and receives a commands from unprivileged processes (apache) through something, for example pipe to which apache can write. Then the daemon executes the desired command for apache. This way you can control what operations are permited and what aren't on the level of this daemon and your apache can still run with the lowest possible privileges. It would be easy and efficient with Perl but you can choose whatever you prefer to implement the daemon.