RUNNING IPTABLES TOOL AS A NON-ROOT USER
REQUEST
RELATED
SOLUTION
In this example, the user maxpatrol is being used.
First, you should back up your sudoers file
[root@rhel511 ~]# cp /etc/sudoers /etc/sudoers.$(date +%d%b%y)
[root@rhel511 ~]# ls -l /etc/sudoers*
-r--r----- 1 root root 3515 Apr 20 2017 /etc/sudoers
-r--r----- 1 root root 3515 Nov 19 10:41 /etc/sudoers.19Nov18Then add the following line to the sudoers file
maxpatrol ALL=(ALL) NOPASSWD:/sbin/iptables
It’ll allow the user maxpatrol to execute /sbin/iptables executable without providing a password. Any arguments are allowed for that executable.
[root@rhel511 ~]# echo "maxpatrol ALL=(ALL) NOPASSWD:/sbin/iptables" >> /etc/sudoers
[root@rhel511 ~]# egrep maxpatrol /etc/sudoers
maxpatrol ALL=(ALL) NOPASSWD:/sbin/iptablesSwitch to the maxpatrol user and test if you are able to list iptables rules
############################
## Without sudo keyword
############################
[root@rhel511 ~]# su - maxpatrol
[maxpatrol@rhel511 ~]$ /sbin/iptables -nvL
iptables v1.3.5: can't initialize iptables table `filter': Permission denied (you must be root)
############################
## With sudo keyword
############################
[maxpatrol@rhel511 ~]$ sudo /sbin/iptables -nvL
Chain INPUT (policy ACCEPT 1 packets, 484 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2 packets, 842 bytes)
pkts bytes target prot opt in out source destinationEverything works with sudo keyword. But I want to eliminate using sudo keyword, so a trick should be used.
Issue the following command to create a script
{
echo "sudo /sbin/iptables \${1}" > /home/maxpatrol/iptables
chmod 500 iptables
ls -l iptables
}
[maxpatrol@rhel511 ~]$ {
> echo "sudo /sbin/iptables \${1}" > /home/maxpatrol/iptables
> chmod 500 iptables
> ls -l iptables
> }
-r-x------ 1 maxpatrol auditor 21 Nov 19 10:52 iptablesHere the script name is the same as the name of iptables executable. Run the script to verify it works
[maxpatrol@rhel511 ~]$ ./iptables -nvL
Chain INPUT (policy ACCEPT 2858K packets, 3924M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2895K packets, 4656M bytes)
pkts bytes target prot opt in out source destinationSo, script works. As the next step of the trick I need to call my script by default instead of original iptables executable. For this purpose the script location must be added to PATH variable.
[maxpatrol@rhel511 ~]$ export PATH=/home/maxpatrol:$PATHNow you should be able to run the script by its name
[maxpatrol@rhel511 ~]$ iptables -nvL
Chain INPUT (policy ACCEPT 3745K packets, 5030M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3764K packets, 5551M bytes)
pkts bytes target prot opt in out source destinationAnd as the final step, add the script path to PATH variable in .bash_profile file
[maxpatrol@rhel511 ~]$ echo "export PATH=/home/maxpatrol:\${PATH}" >> ~/.bash_profile
[maxpatrol@rhel511 ~]$ egrep PATH ~/.bash_profile
PATH=$PATH:$HOME/bin
export PATH
export PATH=/home/maxpatrol:${PATH}Relogin and verify it again
#########################
## Relogin
#########################
[maxpatrol@rhel511 ~]$ exit
logout
[root@rhel511 ~]# su - maxpatrol
#########################
## Ensure the iptables command points to your script
#########################
[maxpatrol@rhel511 ~]$ which iptables
~/iptables
#########################
## Execute command
#########################
[maxpatrol@rhel511 ~]$ iptables -nvL
Chain INPUT (policy ACCEPT 5058K packets, 6191M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5106K packets, 6848M bytes)
pkts bytes target prot opt in out source destination
Platform : Red Hat Enterprise Linux Server release 5.7 (Tikanga)