[KLUG Members] Re: iptables run as root
Bryan J. Smith
members@kalamazoolinux.org
Tue, 15 Jan 2002 15:34:47 -0500
bill wrote:
> I've begun implementing IP masquerading using iptables
> (kernal 2.4, RH7.1). In order to run the rc.firewall
> file, I have to be root. If I'm not root, it won't run.
> Is that right?
You can answer questions like that with another question:
"Should 'regular users' be able to change X at will?"
Where "X" = "running kernel's network configuration"
If the answer is "hell no" then, yes, you have to be root. ;-P
[ You'll find that "question" answers such questions. ;-P ]
Now you _can_ setup the script to be executable by anyone, but the
"ipfilter" program will bark out an error about not being root.
;-P Unless, of course, you set the "SUID" flag so it _always_ runs
as root no matter who calls it -- which I do *NOT* recommend you do.
;->
> It doesn't make sense to have to leave the box running
> with root logged in.
> Any suggestions/explanations appreciated.
Why would you need to**? "ipfilter" is not the firewall itself.
All "ipfilter" is is a command to modify the running kernel's
network configuration -- specifically, the network filtering rules.
I.e. Linux _always_ has its "firewall code" 'running' -- but the
"default" 'rules' don't do much (other than basic IP spoof
detection, handling common attacks, floods, etc...). You use
"ipfilter" to "enhance/site customize" those rules for specific
interfaces, protocols, etc...
So, just run your "rc.firewall" once at boot. On RedHat,
/etc/rc.d/rc.sysinit (before the network is initialized) or
/etc/rc.d/rc.local (after the system-V init scripts have run,
including networking) are cannidates. I _think_ you can setup
"rules" even before the actual network interfaces are created/bound
(which might be the case in /etc/rc.d/rc.sysinit) -- but I'm not
sure.
-- Bryan
**P.S. Remember, the phrased "logged in" under UNIX is different
than under Windows. Not only can you have multiple users "logged
in" under UNIX, but a user need not have a "terminal/GUI session"
'running' for programs to run. E.g., run "ping localhost &" and
then logout. Note the "&" (ampersand) -- the "ping" program will
continue to run in the background, eating CPU time, despite the user
being "logging out."
--
Bryan J. Smith, Engineer mailto:b.j.smith@ieee.org
AbsoluteValue Systems, Inc. http://www.linux-wlan.org
SmithConcepts, Inc. http://www.SmithConcepts.com