[KLUG Members] Re: iptables run as root

Bryan J. Smith members@kalamazoolinux.org
Tue, 15 Jan 2002 15:34:47 -0500

Previous message: [KLUG Members] iptables run as root
Next message: [KLUG Members] Creating ISO images
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

bill wrote:
> I've begun implementing IP masquerading using iptables
> (kernal 2.4, RH7.1).  In order to run the rc.firewall
> file, I have to be root.  If I'm not root, it won't run.
> Is that right?

You can answer questions like that with another question:

  "Should 'regular users' be able to change X at will?"
   Where "X" = "running kernel's network configuration"

If the answer is "hell no" then, yes, you have to be root.  ;-P 

[ You'll find that "question" answers such questions. ;-P ]

Now you _can_ setup the script to be executable by anyone, but the
"ipfilter" program will bark out an error about not being root. 
;-P  Unless, of course, you set the "SUID" flag so it _always_ runs
as root no matter who calls it -- which I do *NOT* recommend you do.
;->

> It doesn't make sense to have to leave the box running
> with root logged in.
> Any suggestions/explanations appreciated.

Why would you need to**?  "ipfilter" is not the firewall itself. 
All "ipfilter" is is a command to modify the running kernel's
network configuration -- specifically, the network filtering rules.

I.e. Linux _always_ has its "firewall code" 'running' -- but the
"default" 'rules' don't do much (other than basic IP spoof
detection, handling common attacks, floods, etc...).  You use
"ipfilter" to "enhance/site customize" those rules for specific
interfaces, protocols, etc...

So, just run your "rc.firewall" once at boot.  On RedHat,
/etc/rc.d/rc.sysinit (before the network is initialized) or
/etc/rc.d/rc.local (after the system-V init scripts have run,
including networking) are cannidates.  I _think_ you can setup
"rules" even before the actual network interfaces are created/bound
(which might be the case in /etc/rc.d/rc.sysinit) -- but I'm not
sure.

-- Bryan

**P.S.  Remember, the phrased "logged in" under UNIX is different
than under Windows.  Not only can you have multiple users "logged
in" under UNIX, but a user need not have a "terminal/GUI session"
'running' for programs to run.  E.g., run "ping localhost &" and
then logout.  Note the "&" (ampersand) -- the "ping" program will
continue to run in the background, eating CPU time, despite the user
being "logging out."

-- 
Bryan J. Smith, Engineer        mailto:b.j.smith@ieee.org   
AbsoluteValue Systems, Inc.     http://www.linux-wlan.org
SmithConcepts, Inc.          http://www.SmithConcepts.com

Previous message: [KLUG Members] iptables run as root
Next message: [KLUG Members] Creating ISO images
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]