[CentOS] Apache Changing IPtables C 5.6 via Apache

Sat Aug 20 23:09:12 UTC 2011
Always Learning <centos at u61.u22.net>

When a web site is attacked, so far by unsuccessful hackers, my error
routine adds the attackers IP address, prefixed by 'deny', to that web
site's .htaccess file. It works and the attacker, on second and
subsequent attacks, gets a 403 error response.

I want to extend the exclusion ability to every web site hosted on a
server. My preferred method is iptables. However, when breaking-out of a
PHP script on a web page and running a normal iptables command, for
example:

	iptables -A 3temp -s 1.2.3.4 -j DROP

iptables responds with:

	iptables v1.3.5: can't initialize iptables table
	`filter': Permission denied
	(you must be root)

Executing 'whoami' confirms Apache is the user. Giving Apache group rw
on the /etc/sysconfig/iptables and ensuring the /sbin/iptables is
executable by all, fails to resolve the problem.

Is there any method of running iptables from an Apache originated
process ?

Thank you.






-- 
With best regards,

Paul.
England,
EU.