4

When running the following script as user ec2-user, I get the error message iptables v1.4.18: can't initialize iptables table filter: Permission denied (you must be root)

Script:

#!/bin/sh
# Offending IP as detected by mod_evasive
# Add the following firewall rule (block IP)
$IPTABLES -I INPUT -s $IP -j DROP

How can I run iptables as a non-root user to block a IP address?

NB: This script is usually called by mod_evasive

AlexR
  • 173
  • 2
  • 2
  • 7

4 Answers4

3

Set the setuid bit on the script, so that it always runs as root.

chown root myscript
chmod u+s myscript
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • Hi Michael, when trying to run the script, I do get the error message: command not found. What permissions would I need to change? Any idea? – AlexR Oct 12 '14 at 16:02
  • What command is not found? – Michael Hampton Oct 12 '14 at 16:09
  • The script itself: When I enter the command in bash: "sudo ban_ip.sh 94.201.234.1xx", I do get: "sudo: ban_ip.sh: command not found". But the script file is there. – AlexR Oct 12 '14 at 16:11
  • @AlexR Why are you trying to sudo ? Also if it's not in your `PATH` you need to use the absolute path `./ban_ip.sh`. – Xavier Lucas Oct 12 '14 at 16:17
  • @XavierLucas: With or without sudo: It does not work. I am in the same directory as the script when trying to execute it. – AlexR Oct 12 '14 at 16:19
  • You are not using the **absolute path**. It doesn't matter in which directory you are. – Xavier Lucas Oct 12 '14 at 16:20
1

Based on another comment you made here the issue you're experiencing is bash cannot find the script you are trying to run.

When you are running a script or command that isn't in one of the paths defined in your $PATH environment setting you need to provide the absolute or relative path for it. For example:

  • If the script is in /usr/local/bin you need to run /usr/local/bin/scriptname.sh.
  • If the script is in your home directory you need to run either /home/username/scriptname.sh or ~/scriptname.sh.
  • Alternatively you can change into that directory and call it with ./ like so: ./scriptname.sh

Also you can update your $PATH environment setting with the path to the script by modifying .bash_profile, .bashrc, or .profile, depending on what env file you're using.

Gene
  • 3,633
  • 19
  • 39
0

Just add sudo before the command:

#!/bin/sh
# Offending IP as detected by mod_evasive
# Add the following firewall rule (block IP)
sudo $IPTABLES -I INPUT -s $IP -j DROP
MohyedeenN
  • 1,035
  • 1
  • 12
  • 14
0

If your script is:

/drop.sh

and looks like this:

#!/bin/sh
exec /sbin/iptables -I INPUT -s "$1" -j DROP

Then add a line to your /etc/sudoers file that looks something like:

www-data ALL=(root) NOPASSWD: /drop.sh

NB if Apache is running as a user besides www-data you'll need to use that username here. This lets the Apache user run your drop.sh

Then finally a wrapper for mod_evasive:

#!/bin/sh
exec sudo /drop.sh "$@"
geocar
  • 2,307
  • 14
  • 10
  • What's the point putting the script at the root of the filesystem ? Also, you should always use `visudo` wrapper instead of editing any sudoers file, that's why it's read-only by default. – Xavier Lucas Oct 12 '14 at 18:19
  • You can put files wherever you want, but then you need to explain that all the other paths need to change. – geocar Oct 12 '14 at 19:05