How to manipulate iptables rules from the web script - c

I have a linux box with web serverthe has 2 running services:
web proxy (listens ports 80, 443)
apache (listens port 8080)
The users for proxy can register through web interface. I must give access to proxy only to the registered clients with certain IPs. Proxy is a handwritten script, and I have to use iptables to block the access. I wrote the following rules:
iptables -A INPUT -p tcp -m multiport --dports 80,443 -s <valid IP 1> -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 80,443 -s <valid IP 2> -j ACCEPT
...
iptables -A INPUT -p tcp -m multiport --dports 80,443 -s <valid IP n> -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 80,443 -j DROP
It works. But when a new user is added through web interface, Apache launches a script as a non-root user. And I have to run iptables as root.
I can't set suid bit for a program, written in a scripting language, so I created a C program updater.c:
#include <stdlib.h>
#include <stdio.h>
int main(int argc, char* argv[])
{
int result = system("iptables -L");
printf("\nresult=%i", result);
return 0;
}
Then I compiled it:
# gcc -o updater ./updater.c
# chmod +s ./updater
When I run it as a non-priviledged user in shell it works correctly: prints all the iptables rules.
When I run it from the web, calling the program inside a shell script, it doesn't print anything. Despite the fact, that when I tried to create a file inside this C program, it was created with owner=root. system("ls -l"); also works - it prints the directory listing.
How can I manipulate iptables rules from the web script?

When you call system("iptables -L"); you may or may not be able to find iptables, depending on your PATH environment variable. You should prepend the path to where the binary is so that you know it will be found:
int result = system("/sbin/iptables -L");

Related

How can I debug QEMU with one terminal?

I am working on a moon rover for Carnegie Mellon University which will be launching next year. Specifically, I am working on a flight computer called the ISIS OBC (On Board Computer) and I am trying to find out how to first run QEMU in a terminal in the background, and then run GDB to connect to the QEMU instance I just backgrounded. I have tried running QEMU in the background with & as well as using the flag -daemonize but this causes QEMU's GDB server to not work at all.
The overarching goal is to be able to debug our flight software in GDB in one terminal window so that I can run it from inside a Docker container mounted on the repository's root. It takes a bit of setup to get be able to debug our code, with a couple of gotchas like incompatibility with newer versions of GCC, so being able to run the CODE and debug it from inside a Docker container (which has all our other development dependencies installed too) is a must.
My current solution was to just run QEMU in another gnome-terminal I initialized in the startup script completely outside of the docker container, but this will not work in Docker for obvious reasons. Here is that code in case the additional context is helpful:
#!/bin/bash
#The goal of the below code is to get the stdout from QEMU piped into GDB.
#Unfourtunately it appears that QEMU must be started as the FG in its own window so that it will
#start its GDB server, so an additional window is required.
my_tty=$(tty)
gnome-terminal -- bash -c './../obc-emulation-resources/obc-qemu/iobc-loader -f sdram build/app.isis-obc-rtos.bin -s sdram -o pmc-mclk -- -serial stdio -monitor none -s -S > /tmp/qemu-gdb; $SHELL' --name="QEMU-iOBC" --title="QEMU-iOBC" -p
tail -f /tmp/qemu-gdb > $my_tty&
./third_party/gcc-arm-none-eabi-10.3-2021.07/bin/arm-none-eabi-gdb -ex='target remote localhost:1234' -ex='symbol-file build/isis-obc-rtos.elf'
# Kill any leftover qemu debugging sessions
kill $(ps aux | grep '[i]obc-loader' | awk '{print $2}')
# Delete intermediate file
rm -f /tmp/qemu-gdb
# Get's rid of any extra text that may occur
echo ""
clear
I would much prefer to run something like this to achieve my goal:
./../obc-emulation-resources/obc-qemu/iobc-loader -f sdram build/app.isis-obc-rtos.bin -s sdram -o pmc-mclk -- -serial stdio -monitor none -s -S > /tmp/qemu-gdb
rather than what I am running now:
gnome-terminal -- bash -c './../obc-emulation-resources/obc-qemu/iobc-loader -f sdram build/app.isis-obc-rtos.bin -s sdram -o pmc-mclk -- -serial stdio -monitor none -s -S > /tmp/qemu-gdb; $SHELL' --name="QEMU-iOBC" --title="QEMU-iOBC" -p
"iobc-loader" is a wrapper used to run the QEMU command by the way."app.isis-obc-rtos.bin" is of course the binary I am trying to run and "isis-obc-rtos.elf" contains the symbols used to debug it. Apologies if the answer is obvious, I am a student!
You can try using a terminal multiplexer like screen or tmux, which allow you to run each command in foreground in a separate virtual terminal.
You can also create panes, for example with tmux press Ctrl+b " to split the screen horizontally or Ctrl+b % to split it vertically, then Ctrl+b o to cycle between them.
Using tmux is definitely the easiest approach, especially with its built in CLI support.
You could write a script similar to this one:
tmux start-server
tmux new-session -d -s debug-session -n isis -d "<cmd1>";"<cmd2>"
Where cmd1 is your QEMU execution script, and cmd2 is another script that runs the docker you want to use for debugging.

How do I run wireguard (or wg-quick) for a single program?

I need to run wireguard only for a single program, and have the rest of my system not use it. Is this possible or doable? I'm currently using wg-quick
Yes you can, using network namespaces.
First let's create the wireguard namespace:
ip netns add wireguard
Then, we create a wireguard interface in your standard namespace
ip link add wg0 type wireguard
(You can configure the interface here)
We move it to the wireguard namespace
ip link set wg0 netns wireguard
And now, you can run a process in the wireguard namespace using
sudo -E ip netns exec wireguard sudo -E -u \#$(id -u) -g \#$(id -g) YOUR_PROCESS_CMD
You should read this for more information: https://www.wireguard.com/netns

scp through intermediate hosts

I am trying to scp files to and from a remote server through an intermediate host. I can successfully do the following:
Scp from remote server (lome.1470mad.mssm.edu) to local desktop through intermediate host (shell.mssm.edu):
scp -r -o 'Host lome.1470mad.mssm.edu' -o 'ProxyCommand ssh hernam13#shell.mssm.edu nc %h %p' matt#lome.1470mad.mssm.edu:/dir1/matt/ .
But I am having trouble copying files in the other direction (from local host to lome.1470mad.mssm.edu through the intermediate host (shell.mssm.edu).
Can someone please clarify on how to do this?
Thanks!
It should just work the other way round (switching source and destination):
scp -r -o ProxyCommand="ssh -W %h:%p hernam13#shell.mssm.edu" local.file matt#lome.1470mad.mssm.edu:/dir1/matt/
The -o 'Host lome.1470mad.mssm.edu' is no useful. The ProxyCommand ssh hernam13#shell.mssm.edu nc %h %p is better to use -W switch to ssh. If it does not work, what errors you get?

Mysqldump connecting issue

I'm trying to make dump with next command:
mysqldump -v -u root -p -h 127.0.0.1 -P 3308 -x --add-drop-table
--add-locks --create-options -K -e -q -A > database.sql
The result (after password input) is message "Connecting to 127.0.0.1...". After this is nothing (no any errors, just waiting).
database.sql is empty file.
Why I see no any activity? Is it bug?
From http://linuxcommand.org/man_pages/mysqldump1.html
The password to use when connecting to the server. If you use the
short option form (-p), you cannot have a space between the option and
the password. If you omit the password value following the --password
or -p option on the command line, you are prompted for one.
The system may be waiting for you to input a password.
If you want to avoid that just add the password in the command. Assuming your password is "FLOWER":
mysqldump -v -u root -pFLOWER -h 127.0.0.1 -P 3308 -x --add-drop-table --add-locks --create-options -K -e -q -A > database.sql
This problem, as you describe it, can be caused by the mysql server not running or not being available on the host (in your case, localhost), or it is running but not on that port.
What kind of a system is it? If it is a flavor of linux/unix, you can run
ps -ef|egrep mysql
to see if the mysql server is running. Check the equivalent command on Windows or whatever else you may be running. Also, you can verify that this is the problem by seeing if this works:
mysql -u root -p -h 127.0.0.1 -P 3308
The solution is to start the server:
/etc/init.d/mysqld start
or the equivalent on your system.
Note: if it is running, determine what port it is on - it is possible that you are not specifying the right port number. The default is 3306 - it is unusual that you are using a non-standard port.

Port Redirection not working (80->3306)

i have got a new Linux Server (Debian 6.0) with a Database (MySQL) which is accessed by Port 3306 like as usual.
Now I'd like to access the database due port problems of some users (because port 3306 is often blocked by network firewalls) by port 80 or 443. So the transfer must be redirected from Port 80 to 3306 to keep the Database working.
I have tried following command:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3306
but I got following error:
iptables: No chain/target/match by that name.
Does anyone can help me solve this problem? The NAT table is empty (PREROUTING,POSTROUTING,OUTPUT have no entries) (checked with iptables -t nat -n -L)
In iptables Kernel modules required for NAT functionality:
Run following command to load modules in kernel:
# modprobe iptable_nat
# modprobe ipt_REDIRECT
Make sure you have above modules compiled in kernel:
[root#instructor tmp]# grep REDIRECT /boot/config-$( uname -r )
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_BRIDGE_EBT_REDIRECT=m
In VPS Server:
Enable modules on host server using modprobe command
Execute following command from the host server to enable all the modules for the VPS
vzctl set VEID --iptables iptable_nat --iptables ipt_REDIRECT
Add rules in file /etc/vz/conf/veid.conf
IPTABLES="iptable_nat ipt_REDIRECT"

Resources