3 WAYS TO RUN iptables -L AS NON ROOT USER
ISSUE
[maxpatrol@rhel75 ~]$ iptables -vnL iptables v1.4.21: can't initialize iptables table `filter': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded.
RELATED
RUNNING IPTABLES TOOL AS A NON-ROOT USER
SOLUTION
Here there are 3 ways to list all rules with non-root account
(1) With the sudoers file
(2) By setting SUID on the iptables executable
(3) By setting file capabilities on a copy of the iptables executable
In all 3 examples, the user maxpatrol is being used.
(1) With the sudoers file
Add the following line to your sudoers file
maxpatrol ALL=(ALL) NOPASSWD: /usr/sbin/iptables -vnL
Now, issuing iptables executable with sudo keyword lists all iptables rules
[maxpatrol@rhel75 ~]$ sudo iptables -vnL
Chain INPUT (policy ACCEPT 3843 packets, 320K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1739 packets, 275K bytes)
pkts bytes target prot opt in out source destinationNOTE: In this example, only “-vnL” arguments are allowed for the iptables command. It means if you try to use another one or in another order then the command fails, for instance
[maxpatrol@rhel75 ~]$ sudo iptables -v -L
[sudo] password for maxpatrol:
Sorry, user maxpatrol is not allowed to execute '/sbin/iptables -v -L' as root on rhel75.mydomain.local.(2) By setting SUID on the iptables executable
Here you’ll find the explanation about what SUID is. Run the following commands as root user
## Find executable location
[root@rhel75 ~]# which iptables
/usr/sbin/iptables
## Resolve symbolic link
[root@rhel75 ~]# readlink -f /usr/sbin/iptables
/usr/sbin/xtables-multi
## Find current file permisions
[root@rhel75 ~]# ls -l /usr/sbin/xtables-multi
-rwxr-xr-x. 1 root root 93632 Jan 28 2018 /usr/sbin/xtables-multi
## Set SUID on the executable
[root@rhel75 ~]# chmod u+s /usr/sbin/xtables-multi
## Verify new permision is set.
## If everything is OK then the letter 's' would be instead of 'x' for owner permissions
[root@rhel75 ~]# ls -l /usr/sbin/xtables-multi
-rwsr-xr-x. 1 root root 93632 Jan 28 2018 /usr/sbin/xtables-multiNow you are permitted to list all rules without sudo keyword. Any arguments are allowed.
[root@rhel75 ~]# su - maxpatrol
Last login: Thu Nov 15 16:36:29 MSK 2018 on pts/0
[maxpatrol@rhel75 ~]$ iptables -vnL
Chain INPUT (policy ACCEPT 5407 packets, 446K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2094 packets, 320K bytes)
pkts bytes target prot opt in out source destinationNOTE: When you set SUID on an executable that executable is available for an execution for all users
(3) By setting file capabilities on the iptables executable copy
Run the following commands as the root user
## Find iptables executable
[root@rhel75 ~]# which iptables
/usr/sbin/iptables
## Create a directory for a copy of the executable
[root@rhel75 ~]# mkdir /home/maxpatrol/bin
## Copy the iptables executable to the created directory
[root@rhel75 ~]# cp /usr/sbin/iptables /home/maxpatrol/bin/iptables
## Reset all permisions
[root@rhel75 ~]# chmod 000 /home/maxpatrol/bin/iptables
[root@rhel75 ~]# ls -l /home/maxpatrol/bin/iptables
----------. 1 root root 93632 Nov 15 16:46 /home/maxpatrol/bin/iptables
#######################################
## Use this option if ACL is enabled
#######################################
## As the bin directory and the iptables executable copy is owned by root
## you must permit the user maxpatrol to execute that files by setting acl
[root@rhel75 ~]# setfacl -Rm u:maxpatrol:rx /home/maxpatrol/bin
#######################################
## Use this option if ACL is not enabled
#######################################
[root@rhel75 ~]# id maxpatrol
uid=1002(maxpatrol) gid=1002(maxpatrol) groups=1002(maxpatrol)
# Change ownership from root to user maxpatrol
[root@rhel75 ~]# chown -R maxpatrol.maxpatrol /home/maxpatrol/bin/iptables
# Change files permisions
[root@rhel75 ~]# ls -l /home/maxpatrol/bin/iptables
----------. 1 maxpatrol maxpatrol 93632 Nov 15 16:46 /home/maxpatrol/bin/iptables
[root@rhel75 ~]# chmod -R 500 /home/maxpatrol/bin/iptables
[root@rhel75 ~]# ls -l /home/maxpatrol/bin/iptables
-r-x------. 1 maxpatrol maxpatrol 93632 Nov 15 16:46 /home/maxpatrol/bin/iptables
## Set file capabilities on the executable copy
[root@rhel75 ~]# setcap CAP_NET_RAW,CAP_NET_ADMIN+ep /home/maxpatrol/bin/iptablesNow you are permitted to list all rules. Any arguments are allowed.
[root@rhel75 bin]# su - maxpatrol
Last login: Thu Nov 15 17:04:43 MSK 2018 on pts/0
[maxpatrol@rhel75 ~]$ cd ./bin/
[maxpatrol@rhel75 bin]$ ./iptables -nvL
Chain INPUT (policy ACCEPT 7845 packets, 643K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2481 packets, 367K bytes)
pkts bytes target prot opt in out source destinationUnlike in the option (2), in the option (3) the only maxpatrol user is permitted to run the copy of the iptables executable.
Now add /home/maxpatrol/bin path to PATH variable to use the iptables executable copy by default. Add it to .bash_profile file to set it up automatically during login.
[maxpatrol@rhel75 bin]$ export PATH=/home/maxpatrol/bin:$PATH
[maxpatrol@rhel75 bin]$ which iptables
~/bin/iptables
[maxpatrol@rhel75 bin]$ iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destinationNOTE: In RedHat 6.x you will get the error when executing the iptables executable
[maxpatrol@rhel68 ~]# which iptables
/sbin/iptables
[maxpatrol@rhel68 ~]# readlink /sbin/iptables
/etc/alternatives/iptables.x86_64
[maxpatrol@rhel68 ~]# /etc/alternatives/iptables.x86_64 -nvL
iptables multi-purpose version: unknown subcommand "-nvL"To fix it, use iptables with argument ‘main’
[maxpatrol@rhel68 ~]# /etc/alternatives/iptables.x86_64 main -nvL
Chain INPUT (policy ACCEPT 159M packets, 126G bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 143M packets, 43G bytes)
pkts bytes target prot opt in out source destinationTo simulate exact behavior of executable copy as original one just create the bash script by the root user
{
mkdir /home/maxpatrol/bin
cp /sbin/iptables /home/maxpatrol/bin/iptables.original.copy
echo "/home/maxpatrol/bin/iptables.original.copy main \${1}" > /home/maxpatrol/bin/iptables
setfacl -Rm u:maxpatrol:rx /home/maxpatrol/bin
setcap CAP_NET_RAW,CAP_NET_ADMIN+ep /home/maxpatrol/bin/iptables.original.copy
/home/maxpatrol/bin/iptables -nvL
}NOTE: if you have the following error after executing executable copy, just execute it under root user
[maxpatrol@S702AS-ASLogger ~]$ ## This will rise the error
/home/maxpatrol/bin/iptables -nvL
FATAL: Error inserting ip_tables (/lib/modules/2.6.32-642.el6.x86_64/kernel/net/ipv4/netfilter/ip_tables.ko): Operation not permitted
iptables v1.4.7: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
[maxpatrol@S702AS-ASLogger ~]$ exit
logout
## Execute under root
[root@S702AS-ASLogger ~]# /home/maxpatrol/bin/iptables -nvL 2>&1 1>/dev/null
## Execute again under the maxpatrol user
[root@S702AS-ASLogger ~]# su - maxpatrol
[maxpatrol@S702AS-ASLogger ~]$ /home/maxpatrol/bin/iptables -nvL
Chain INPUT (policy ACCEPT 179 packets, 21575 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 164 packets, 22509 bytes)
pkts bytes target prot opt in out source destinationNOTE: On RedHat 5.x setcap doesn’t work, use (1) and (2) options instead.
[root@rhel511 ~]# setcap CAP_NET_RAW,CAP_NET_ADMIN+ep /home/maxpatrol/bin/iptables.original.copy
-bash: setcap: command not found
[root@rhel511 ~]# cat /etc/*release*
Enterprise Linux Enterprise Linux Server release 5.7 (Carthage)
cat: /etc/lsb-release.d: Is a directory
Oracle Linux Server release 5.7
Red Hat Enterprise Linux Server release 5.7 (Tikanga)According to Issue running the setcap command
/usr/sbin/setcap is part of libcap 2 and is not available until Linux kernel version 2.6.24
/usr/sbin/setcap is not provided in RHEL 5 and cannot be copied from a later release of Red Hat Enterprise Linux.
Platform : Oracle Linux Server 7.5
Leave a Reply
Social Link(s)
