On Mon, 2005-02-21 at 06:33, Michael Jürgens wrote: > > I´m looking for a solution to provide a non root user write access to a > chain. I've written up some stuff using sudo in order to create an auditing trail. You can read about it here: http://www.loganalysis.org/sections/parsing/application-specific/firewall-logging.html#iptables > his special case I have to provide the a mechanism to block some ip > adresses to connect to http. > But this should be done by a non root user. The non root user should not > change any other rule. The problem is you can not set permissions to different iptables switches. So granting a person access to the binary implies they will be able to do pretty much anything they want. You might be able to create a front end that accepts just an IP address, and then the back end fills out the rest of the command, but you would need really good data scrubbing to ensure that only IP addresses are accepted, not command line switches. You would also need to ensure that the user does not have direct access to the binary. HTH, Chris
