How could check if iptables is running ok in a machine ,using a restricted permission user ?
i need to monitor this...
BR Thanks for the great Site !!!
Asked
Active
Viewed 8,709 times
2
-
UPDATE : Since im tring to do this with a script , im getting ---->>>> sudo:: sorry, you must have a tty to run sudo Any ideaS? – criss Aug 18 '09 at 13:41
-
update: what about a dummy iptable rule ? :) i could set up a dummy rule and then any user/script could test with a ping or telnet ...what do you think ? – criss Aug 18 '09 at 14:03
1 Answers
8
iptables needs to be run as root. You can solve this by using sudo and restricting a particular user to a particular command line. Run visudo and add the following line
restricteduser ALL = NOPASSWD: /sbin/iptables
and now your restricted user can run:
$ sudo /sbin/iptables -L -v
They will be able to modify your firewall configuration if you enable them to run iptables.
David Pashley
- 23,497
- 2
- 46
- 73
-
2You can also restrict argument allowed for the command by adding them after /sbin/iptable like "restricteduser ALL = NOPASSWD: /sbin/iptables -L -v" (but I don't know enough iptable to tell if when you put -L it prevent to use others switch that could change the config) – radius Aug 17 '09 at 17:13
-
4Note that other arguments can be forbidden by using ! But this is greatly explained in thé sudoers man page. – radius Aug 17 '09 at 17:23
-
1Greatly explained, but not clearly explained. :) The sudoers manpage is not the best written document in the world. But +1 for the comment. – David Pashley Aug 17 '09 at 17:32
-
I've wrapped this kind of thing in a C program that checks a couple things then runs the command. Depending on the platform and local policies the program gets run under sudo or is installed setuid. The program can be written in languages other than C; a lot of people would use perl or python for this kind of task. – Rik Schneider Aug 17 '09 at 17:41
-