Print Friendly, PDF & Email

 
ISSUE

When I try to list all iptables rules as non-root user I get the following error
[maxpatrol@rhel75 ~]$  iptables -vnL
iptables v1.4.21: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.

 
RELATED

RUNNING IPTABLES TOOL AS A NON-ROOT USER

 
SOLUTION

Here there are 3 ways to list all rules with non-root account

(1) With the sudoers file
(2) By setting SUID on the iptables executable
(3) By setting file capabilities on a copy of the iptables executable

In all 3 examples, the user maxpatrol is being used.

(1) With the sudoers file

Add the following line to your sudoers file

maxpatrol ALL=(ALL) NOPASSWD: /usr/sbin/iptables -vnL

Now, issuing iptables executable with sudo keyword lists all iptables rules

[maxpatrol@rhel75 ~]$ sudo iptables -vnL
Chain INPUT (policy ACCEPT 3843 packets, 320K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1739 packets, 275K bytes)
 pkts bytes target     prot opt in     out     source               destination

NOTE: In this example, only “-vnL” arguments are allowed for the iptables command. It means if you try to use another one or in another order then the command fails, for instance

[maxpatrol@rhel75 ~]$ sudo iptables -v -L
[sudo] password for maxpatrol:
Sorry, user maxpatrol is not allowed to execute '/sbin/iptables -v -L' as root on rhel75.mydomain.local.

(2) By setting SUID on the iptables executable

Here you’ll find the explanation about what SUID is. Run the following commands as root user

## Find executable location 
[root@rhel75 ~]# which iptables
/usr/sbin/iptables

## Resolve symbolic link
[root@rhel75 ~]# readlink -f /usr/sbin/iptables
/usr/sbin/xtables-multi

## Find current file permisions
[root@rhel75 ~]# ls -l /usr/sbin/xtables-multi
-rwxr-xr-x. 1 root root 93632 Jan 28  2018 /usr/sbin/xtables-multi

## Set SUID on the executable
[root@rhel75 ~]# chmod u+s /usr/sbin/xtables-multi

## Verify new permision is set. 
## If everything is OK then the letter 's' would be instead of 'x' for owner permissions
[root@rhel75 ~]# ls -l /usr/sbin/xtables-multi
-rwsr-xr-x. 1 root root 93632 Jan 28  2018 /usr/sbin/xtables-multi

Now you are permitted to list all rules without sudo keyword. Any arguments are allowed.

[root@rhel75 ~]# su - maxpatrol
Last login: Thu Nov 15 16:36:29 MSK 2018 on pts/0

[maxpatrol@rhel75 ~]$ iptables -vnL
Chain INPUT (policy ACCEPT 5407 packets, 446K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 2094 packets, 320K bytes)
 pkts bytes target     prot opt in     out     source               destination

NOTE: When you set SUID on an executable that executable is available for an execution for all users

(3) By setting file capabilities on the iptables executable copy

Run the following commands as the root user

## Find iptables executable
[root@rhel75 ~]# which iptables
/usr/sbin/iptables

## Create a directory for a copy of the executable
[root@rhel75 ~]# mkdir /home/maxpatrol/bin

## Copy the iptables executable to the created directory 
[root@rhel75 ~]# cp /usr/sbin/iptables /home/maxpatrol/bin/iptables

## Reset all permisions
[root@rhel75 ~]# chmod 000 /home/maxpatrol/bin/iptables
[root@rhel75 ~]# ls -l /home/maxpatrol/bin/iptables
----------. 1 root root 93632 Nov 15 16:46 /home/maxpatrol/bin/iptables


#######################################
## Use this option if ACL is enabled
#######################################
## As the bin directory and the iptables executable copy is owned by root 
## you must permit the user maxpatrol to execute that files by setting acl
[root@rhel75 ~]# setfacl -Rm u:maxpatrol:rx /home/maxpatrol/bin

#######################################
## Use this option if ACL is not enabled
#######################################
[root@rhel75 ~]# id maxpatrol
uid=1002(maxpatrol) gid=1002(maxpatrol) groups=1002(maxpatrol)
# Change ownership from root to user maxpatrol
[root@rhel75 ~]# chown -R  maxpatrol.maxpatrol /home/maxpatrol/bin/iptables
# Change files permisions
[root@rhel75 ~]# ls -l /home/maxpatrol/bin/iptables
----------. 1 maxpatrol maxpatrol 93632 Nov 15 16:46 /home/maxpatrol/bin/iptables
[root@rhel75 ~]# chmod -R 500 /home/maxpatrol/bin/iptables
[root@rhel75 ~]# ls -l /home/maxpatrol/bin/iptables
-r-x------. 1 maxpatrol maxpatrol 93632 Nov 15 16:46 /home/maxpatrol/bin/iptables


## Set file capabilities on the executable copy
[root@rhel75 ~]# setcap CAP_NET_RAW,CAP_NET_ADMIN+ep /home/maxpatrol/bin/iptables

Now you are permitted to list all rules. Any arguments are allowed.

[root@rhel75 bin]# su - maxpatrol
Last login: Thu Nov 15 17:04:43 MSK 2018 on pts/0
[maxpatrol@rhel75 ~]$ cd ./bin/
[maxpatrol@rhel75 bin]$ ./iptables -nvL
Chain INPUT (policy ACCEPT 7845 packets, 643K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 2481 packets, 367K bytes)
 pkts bytes target     prot opt in     out     source               destination

Unlike in the option (2), in the option (3) the only maxpatrol user is permitted to run the copy of the iptables executable.
Now add /home/maxpatrol/bin path to PATH variable to use the iptables executable copy by default. Add it to .bash_profile file to set it up automatically during login.

[maxpatrol@rhel75 bin]$ export PATH=/home/maxpatrol/bin:$PATH
[maxpatrol@rhel75 bin]$ which iptables
~/bin/iptables
[maxpatrol@rhel75 bin]$ iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

NOTE: In RedHat 6.x you will get the error when executing the iptables executable

[maxpatrol@rhel68 ~]# which iptables
/sbin/iptables
[maxpatrol@rhel68 ~]# readlink /sbin/iptables
/etc/alternatives/iptables.x86_64
[maxpatrol@rhel68 ~]# /etc/alternatives/iptables.x86_64 -nvL
iptables multi-purpose version: unknown subcommand "-nvL"

To fix it, use iptables with argument ‘main’

[maxpatrol@rhel68 ~]# /etc/alternatives/iptables.x86_64 main -nvL
Chain INPUT (policy ACCEPT 159M packets, 126G bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 143M packets, 43G bytes)
 pkts bytes target     prot opt in     out     source               destination

To simulate exact behavior of executable copy as original one just create the bash script by the root user

{
mkdir /home/maxpatrol/bin
cp /sbin/iptables /home/maxpatrol/bin/iptables.original.copy
echo "/home/maxpatrol/bin/iptables.original.copy main \${1}" > /home/maxpatrol/bin/iptables
setfacl -Rm u:maxpatrol:rx /home/maxpatrol/bin
setcap CAP_NET_RAW,CAP_NET_ADMIN+ep /home/maxpatrol/bin/iptables.original.copy
/home/maxpatrol/bin/iptables -nvL
}

NOTE: if you have the following error after executing executable copy, just execute it under root user

[maxpatrol@S702AS-ASLogger ~]$ ## This will rise the error
/home/maxpatrol/bin/iptables -nvL
FATAL: Error inserting ip_tables (/lib/modules/2.6.32-642.el6.x86_64/kernel/net/ipv4/netfilter/ip_tables.ko): Operation not permitted
iptables v1.4.7: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
[maxpatrol@S702AS-ASLogger ~]$ exit
logout

## Execute under root
[root@S702AS-ASLogger ~]# /home/maxpatrol/bin/iptables -nvL 2>&1 1>/dev/null

## Execute again under the maxpatrol user
[root@S702AS-ASLogger ~]# su - maxpatrol
[maxpatrol@S702AS-ASLogger ~]$ /home/maxpatrol/bin/iptables -nvL
Chain INPUT (policy ACCEPT 179 packets, 21575 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 164 packets, 22509 bytes)
 pkts bytes target     prot opt in     out     source               destination

NOTE: On RedHat 5.x setcap doesn’t work, use (1) and (2) options instead.

[root@rhel511 ~]# setcap CAP_NET_RAW,CAP_NET_ADMIN+ep /home/maxpatrol/bin/iptables.original.copy
-bash: setcap: command not found

[root@rhel511 ~]# cat /etc/*release*
Enterprise Linux Enterprise Linux Server release 5.7 (Carthage)
cat: /etc/lsb-release.d: Is a directory
Oracle Linux Server release 5.7
Red Hat Enterprise Linux Server release 5.7 (Tikanga)

According to Issue running the setcap command
/usr/sbin/setcap is part of libcap 2 and is not available until Linux kernel version 2.6.24
/usr/sbin/setcap is not provided in RHEL 5 and cannot be copied from a later release of Red Hat Enterprise Linux.

 
 

Version  : 12:57 PM 28.11.2018
Platform : Oracle Linux Server 7.5