用cgi动态更改iptables规则

时间：2006-02-01 来源：ruiqingzheng

想实现通过apache的认证页面访问sendip.cgi后在iptables中对通过验证的这个ip开放某功能 1. 最好是只对组用户开放suid属性但是不知道为什么还是提示错误只有对other用户也开放suid了

chmod 4711 /sbin/iptables
chown .nobody /sbin/iptables

2. 更改或添加一个apache用户

$apache/bin/htpasswd /usr/local/apache/conf/passwords juey

3. 配置cgi需要验证

vi $apache/conf/httpd.conf

<Directory "/var/www/html/cgi-bin/">
    AllowOverride AuthConfig
#   AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>

vi /var/www/html/cgi-bin/.htaccess

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /usr/local/apache/conf/passwords
<Files sendip>
Require user juey
</Files>
<Files check.cgi>
Require user juey
</Files>

4. 用shell写个简单的cgi页面

#!/bin/bash
# fileName: sendip
echo "Content type: text/html"
echo ""

echo "$REMOTE_ADDR"
iptables -L INPUT | grep "^ACCEPT" | awk '{print $4}'| grep -o "$REMOTE_ADDR"

[ $? -eq 0 ] || /sbin/iptables -I INPUT -s $REMOTE_ADDR -p tcp --dport 4567 -j ACCEPT

jscript中onunload事件
http://blog.iyi.cn/start/2005/12/post_98.html

</BODY>
</HTML>

相关阅读更多 +