3 WAYS TO LIST ALL IPTABLES RULES BY A NON-ROOT USER
When running iptables -vnL as a non-root user I get the following error message
iptables v1.4.21: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
USING IPTABLES UTILITY AS A NON-ROOT USER
Here are three ways to list all rules by a non-root account
1 By adding a user to the sudoers file
2 By setting SUID on the iptables executable
3 By setting file capabilities on a copy of the iptables executable
For this demo, the user maxpatrol is used.
Add the following line to your sudoers file
It will allow the user maxpatrol to execute /sbin/iptables -vnL command without providing a password.
For instance
[maxpatrol@rhel75 ~]$ sudo iptables -vnL
Chain INPUT (policy ACCEPT 3843 packets, 320K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1739 packets, 275K bytes)
pkts bytes target prot opt in out source destination
In this example, only -vnL arguments are allowed with the iptables command. It means if you use other arguments or -vnL in another order then the command fails, for instance
maxpatrol@rhel75 ~]$ sudo iptables -v -L
[sudo] password for maxpatrol:
Sorry, user maxpatrol is not allowed to execute '/sbin/iptables -v -L' as root on rhel75.mydomain.local.
Here you find an explanation about what SUID is. Run the following commands as the root user
############################
## Find an executable location
############################
[root@rhel75 ~]# which iptables
/usr/sbin/iptables
############################
## Resolve a symbolic link
############################
[root@rhel75 ~]# readlink -f /usr/sbin/iptables
/usr/sbin/xtables-multi
############################
## Find current file permisions
############################
[root@rhel75 ~]# ls -l /usr/sbin/xtables-multi
-rwxr-xr-x. 1 root root 93632 Jan 28 2018 /usr/sbin/xtables-multi
############################
## Set SUID on the executable
############################
[root@rhel75 ~]# chmod u+s /usr/sbin/xtables-multi
############################
## Verify that SUID is set.
## If everything is right then the letter 's' would be instead of 'x' for owner permissions
############################
[root@rhel75 ~]# ls -l /usr/sbin/xtables-multi
-rwsr-xr-x. 1 root root 93632 Jan 28 2018 /usr/sbin/xtables-multi
Now you are permitted to list all rules without the SUDO keyword. Any arguments are allowed.
[maxpatrol@rhel75 ~]$ iptables -vnL
Chain INPUT (policy ACCEPT 5407 packets, 446K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2094 packets, 320K bytes)
pkts bytes target prot opt in out source destination
When you set SUID on an executable, that executable is available for execution by any user
Run the following commands as the root user
############################
## Find an executable location
############################
[root@rhel75 ~]# which iptables
/usr/sbin/iptables
############################
## Create a directory for a copy of the executable
############################
[root@rhel75 ~]# mkdir /home/maxpatrol/bin
############################
## Copy the iptables executable to the created directory
############################
[root@rhel75 ~]# cp /usr/sbin/iptables /home/maxpatrol/bin/iptables
############################
## Reset all permissions for the copied executable
############################
[root@rhel75 ~]# chmod 000 /home/maxpatrol/bin/iptables
[root@rhel75 ~]# ls -l /home/maxpatrol/bin/iptables
----------. 1 root root 93632 Nov 15 16:46 /home/maxpatrol/bin/iptables
############################
## Use this option if ACL is enabled
############################
## As the bin directory and the iptables executable copy is owned by the root user
## you must permit the user maxpatrol to execute that copy by setting ACL
############################
[root@rhel75 ~]# setfacl -Rm u:maxpatrol:rx /home/maxpatrol/bin
############################
## Use this option if ACL is not enabled
############################
[root@rhel75 ~]# id maxpatrol
uid=1002(maxpatrol) gid=1002(maxpatrol) groups=1002(maxpatrol)
# Change ownership from the root user to the maxpatrol user
[root@rhel75 ~]# chown -R maxpatrol.maxpatrol /home/maxpatrol/bin/iptables
# Change files permissions
[root@rhel75 ~]# ls -l /home/maxpatrol/bin/iptables
----------. 1 maxpatrol maxpatrol 93632 Nov 15 16:46 /home/maxpatrol/bin/iptables
[root@rhel75 ~]# chmod -R 500 /home/maxpatrol/bin/iptables
[root@rhel75 ~]# ls -l /home/maxpatrol/bin/iptables
-r-x------. 1 maxpatrol maxpatrol 93632 Nov 15 16:46 /home/maxpatrol/bin/iptables
## Set file capabilities on the executable copy
[root@rhel75 ~]# setcap CAP_NET_RAW,CAP_NET_ADMIN+ep /home/maxpatrol/bin/iptables
Now you are permitted to list all rules without the SUDO keyword. Any arguments are allowed.
[maxpatrol@rhel75 ~]$ cd ./bin/
[maxpatrol@rhel75 bin]$ ./iptables -nvL
Chain INPUT (policy ACCEPT 7845 packets, 643K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2481 packets, 367K bytes)
pkts bytes target prot opt in out source destination
Unlike option 2 where any user is permitted to execute the iptables utility, in option 3 the maxpatrol user is the only permitted user to execute the copy of the iptables executables.
Add /home/maxpatrol/bin to the PATH variable in .bash_profile file to pick the iptables executable copy by default.
[maxpatrol@rhel75 bin]$ export PATH=/home/maxpatrol/bin:$PATH
[maxpatrol@rhel75 bin]$ which iptables
~/bin/iptables
[maxpatrol@rhel75 bin]$ iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
In Red Hat 6.x you will get the error when executing the iptables executable
[maxpatrol@rhel68 ~]# which iptables
/sbin/iptables
[maxpatrol@rhel68 ~]# readlink /sbin/iptables
/etc/alternatives/iptables.x86_64
[maxpatrol@rhel68 ~]# /etc/alternatives/iptables.x86_64 -nvL
iptables multi-purpose version: unknown subcommand "-nvL"
To fix that issue, use the iptables with argument main. For instance
[maxpatrol@rhel68 ~]# /etc/alternatives/iptables.x86_64 main -nvL
Chain INPUT (policy ACCEPT 159M packets, 126G bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 143M packets, 43G bytes)
pkts bytes target prot opt in out source destination
To simulate the exact behavior of the executable copy as the original one, use the following code snippet. It will create a bash script with the name of iptables.
{
mkdir /home/maxpatrol/bin
cp /sbin/iptables /home/maxpatrol/bin/iptables.original.copy
echo "/home/maxpatrol/bin/iptables.original.copy main \${1}" > /home/maxpatrol/bin/iptables
setfacl -Rm u:maxpatrol:rx /home/maxpatrol/bin
setcap CAP_NET_RAW,CAP_NET_ADMIN+ep /home/maxpatrol/bin/iptables.original.copy
/home/maxpatrol/bin/iptables -nvL
}
if you have the following error after executing the executable copy, execute it under the root user and then retry by a non-root user
## This will rise the error
[maxpatrol@S702AS-ASLogger ~]$ /home/maxpatrol/bin/iptables -nvL
FATAL: Error inserting ip_tables (/lib/modules/2.6.32-642.el6.x86_64/kernel/net/ipv4/netfilter/ip_tables.ko):
Operation not permitted
iptables v1.4.7: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
[maxpatrol@S702AS-ASLogger ~]$ exit
logout
## Execute under root
[root@S702AS-ASLogger ~]# /home/maxpatrol/bin/iptables -nvL 2>&1 1>/dev/null
## Re-login as maxpatrol user and retry to exectue created script
[root@S702AS-ASLogger ~]# su - maxpatrol
[maxpatrol@S702AS-ASLogger ~]$ /home/maxpatrol/bin/iptables -nvL
Chain INPUT (policy ACCEPT 179 packets, 21575 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 164 packets, 22509 bytes)
pkts bytes target prot opt in out source destination
On Red Hat 5.x setcap doesn’t work, use either option 1 or 2 instead. For instance
[root@rhel511 ~]# setcap CAP_NET_RAW,CAP_NET_ADMIN+ep /home/maxpatrol/bin/iptables.original.copy
-bash: setcap: command not found
[root@rhel511 ~]# cat /etc/*release*
Enterprise Linux Enterprise Linux Server release 5.7 (Carthage)
cat: /etc/lsb-release.d: Is a directory
Oracle Linux Server release 5.7
Red Hat Enterprise Linux Server release 5.7 (Tikanga)
According to the Issue running the setcap command:
/usr/sbin/setcap is not provided in RHEL 5 and cannot be copied from a later release of Red Hat Enterprise Linux.
Tags In
- Accounts
- Auditing
- AWR
- Bash Scripts
- Datapump
- Default Category
- Demos
- Directory Objects
- Environment Variables
- Initialization Parameters
- Iptables
- Java Program
- Memory Usage
- Metadata API
- Networker
- NLS Settings
- Optimizer Statistics
- ORA-00942
- ORA-01031
- ORA-01720
- ORA-28001
- ORA-31671
- Oracle Database
- Oracle Enterprise Manager
- Performance Tunning
- Postfix
- Privilegies
- Processes
- Queries
- Red Hat Enterprise Linux
- Redo Logs
- Session Tracing
- Sessions
- SQL Trace
- SQLPlus
- Statspack
- Tablespaces
- UTL_FILE
- UTL_FILE_DIR
- Wait Events
- Yum