On Mon, 2005-02-21 at 06:33, Michael JÃrgens wrote: > Hi, > > IÂm looking for a solution to provide a non root user write access to a > chain. > > In this special case I have to provide the a mechanism to block some ip > adresses to connect to http. > But this should be done by a non root user. The non root user should not > change any other rule. > > Any ideas? use sudo? Host_Alias LOCALHOST = thishostname User_Alias U_HTTP = youruser Cmnd_Alias C_HTTP = /sbin/iptables -A blockhttp -s * -j DROP U_HTTP LOCALHOST = C_HTTP ...or if is this is scripted: U_HTTP LOCALHOST = NOPASSWD: C_HTTP obviously--there's opportunity for abuse here--but it's the best i've come up with. if you front-end this with a script, it will allow you to scrub/check/validate the input much more extensively (which is what i actually do). -j -- "Oh look at me! I'm making people happy! I'm the magical man from Happyland, in a gumdrop house on Lollipop Lane!" --The Simpsons
