User configuring iptables

[Eric Diamond]

Wednesday, June 16, 2004 8:24 AM maynard at kopano.uct.ac.za asked:
> Is there any way that a user can tell iptables to allow a 
> user to specify additional ports to block other than the ones 
> in the 'root' iptables configuration. I do not know if there 
> are security implications in this, but all that iptables 
> would have to do was to look for further disallows in the 
> current user's config directory, maybe under ~/.iptables/

> I am trying to run firestarter as a user level application, 
> i.e,. without needing the root password everytime I run it.

Nope - Can't do it without compromising the security of your machine. 

The problem here is that netfilter, the linux firewall, is implemented
in the kernel. This is what makes it both so fast and so secure. As
such, you must be root to make changes to it.

>From the sound of your post, I gather that you are used to user space
firewalls such as exist in the windows world. These can have different
setting for different users because they are just applications rather
than an integral part of the OS. Also, being apps, they ususally have
relatively high system resource use and many don't actually secure a
machine unless a user is logged in. A machine that is booted but not
logged into is left wide open... :(

One way to implement what you desire in linux is to use a dedicated FW
box that has squid and squidguard running. Squidguard is an add-on to
squid that does url blocking. It can be configured in conjunction with
squid's user authentication to have different rule sets for each user.
I'm sure there are other approaches, but this is the one I'd push were I
in your shoes.

Eric Diamond
eDiamond Networking & Security
eric<at>ediamond[dot]net