[ale] Remote controlled port forwarder

[JK]

Atlanta Geek wrote:
> We have used IP tables as a proof of concept approach. However we have
> ran into headaches with this.
> We would create the rules whenever a device is registered with the
> application. The problem is that registration is through a web
> application, we have to give the web user sudo access to forward ports
> to the device Also we have to parse the result of iptables -L to
> confirm the port forwarding has not already been done.  I also really
> hate doing system calls from web applications, it seems like a hack.


The thought of reproducing existing, fast, efficient kernel 
functionality as a userland app seems equally hacky to me. Any use of 
iptables from userland is going to involve privilege elevation, though, 
so if you really have to avoid that, you should probably use an existing 
userland port-forwarder.  I expect ncat (a netcat derivative) might work 
for you:

http://nmap-ncat.sourceforge.net/

Naturally, any tool that allows Joe Luser to set up a forwarded port, 
whether in userland or in kernelspace, is subject to possible abuse; so 
I don't think this is necessarily a reason not to use iptables.

Also, the existence of the iptables userland tool means that there is 
some kind of binary API to iptables.  Although it may be that 
/sbin/iptables is invoking the kernel directly via int0x80, I expect 
that there is probably some kind of library support, somewhere, for 
iptables's kernel interactions.  The iptables and netfilter source may 
be enlightening.

http://www.netfilter.org/projects/iptables/index.html

-- JK

-- 
I do not particularly want to go where the money is -
  it usually does not smell nice there. -- A. Stepanov