Print Friendly, PDF & Email
Here are three ways to list all iptables rules by a non-root account.
SYMPTOMPS

When running iptables -vnL as a non-root user I get the following error message

[maxpatrol@rhel75 ~]$ iptables -vnL
iptables v1.4.21: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
RELATED

USING IPTABLES UTILITY AS A NON-ROOT USER

SOLUTION

Here are three ways to list all rules by a non-root account

1 By adding a user to the sudoers file
2 By setting SUID on the iptables executable
3 By setting file capabilities on a copy of the iptables executable

DEMO

For this demo, the user maxpatrol is used.

 

1. By adding a user to the sudoers file

Add the following line to your sudoers file

maxpatrol ALL=(ALL) NOPASSWD: /usr/sbin/iptables -vnL

It will allow the user maxpatrol to execute /sbin/iptables -vnL command without providing a password.

For instance

[maxpatrol@rhel75 ~]$ sudo iptables -vnL

Chain INPUT (policy ACCEPT 3843 packets, 320K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1739 packets, 275K bytes)
 pkts bytes target     prot opt in     out     source               destination
NOTE

In this example, only -vnL arguments are allowed with the iptables command. It means if you use other arguments or -vnL in another order then the command fails, for instance

maxpatrol@rhel75 ~]$ sudo iptables -v -L
[sudo] password for maxpatrol:
Sorry, user maxpatrol is not allowed to execute '/sbin/iptables -v -L' as root on rhel75.mydomain.local.

 

2. By setting SUID on the iptables executable

Here you find an explanation about what SUID is. Run the following commands as the root user

############################
## Find an executable location 
############################

[root@rhel75 ~]# which iptables
/usr/sbin/iptables

############################
## Resolve a symbolic link
############################

[root@rhel75 ~]# readlink -f /usr/sbin/iptables
/usr/sbin/xtables-multi

############################
## Find current file permisions
############################

[root@rhel75 ~]# ls -l /usr/sbin/xtables-multi
-rwxr-xr-x. 1 root root 93632 Jan 28  2018 /usr/sbin/xtables-multi

############################
## Set SUID on the executable
############################

[root@rhel75 ~]# chmod u+s /usr/sbin/xtables-multi

############################
## Verify that SUID is set. 
## If everything is right then the letter 's' would be instead of 'x' for owner permissions
############################

[root@rhel75 ~]# ls -l /usr/sbin/xtables-multi
-rwsr-xr-x. 1 root root 93632 Jan 28  2018 /usr/sbin/xtables-multi

Now you are permitted to list all rules without the SUDO keyword. Any arguments are allowed.

[maxpatrol@rhel75 ~]$ iptables -vnL

Chain INPUT (policy ACCEPT 5407 packets, 446K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 2094 packets, 320K bytes)
 pkts bytes target     prot opt in     out     source               destination
NOTE

When you set SUID on an executable, that executable is available for execution by any user

 

3. By setting file capabilities on a copy of the iptables executable

Run the following commands as the root user

############################
## Find an executable location 
############################

[root@rhel75 ~]# which iptables
/usr/sbin/iptables

############################
## Create a directory for a copy of the executable
############################

[root@rhel75 ~]# mkdir /home/maxpatrol/bin

############################
## Copy the iptables executable to the created directory 
############################

[root@rhel75 ~]# cp /usr/sbin/iptables /home/maxpatrol/bin/iptables

############################
## Reset all permissions for the copied executable
############################

[root@rhel75 ~]# chmod 000 /home/maxpatrol/bin/iptables
[root@rhel75 ~]# ls -l /home/maxpatrol/bin/iptables
----------. 1 root root 93632 Nov 15 16:46 /home/maxpatrol/bin/iptables


############################
## Use this option if ACL is enabled
############################
## As the bin directory and the iptables executable copy is owned by the root user
## you must permit the user maxpatrol to execute that copy by setting ACL
############################

[root@rhel75 ~]# setfacl -Rm u:maxpatrol:rx /home/maxpatrol/bin


############################
## Use this option if ACL is not enabled
############################

[root@rhel75 ~]# id maxpatrol
uid=1002(maxpatrol) gid=1002(maxpatrol) groups=1002(maxpatrol)

# Change ownership from the root user to the maxpatrol user

[root@rhel75 ~]# chown -R  maxpatrol.maxpatrol /home/maxpatrol/bin/iptables

# Change files permissions

[root@rhel75 ~]# ls -l /home/maxpatrol/bin/iptables
----------. 1 maxpatrol maxpatrol 93632 Nov 15 16:46 /home/maxpatrol/bin/iptables

[root@rhel75 ~]# chmod -R 500 /home/maxpatrol/bin/iptables

[root@rhel75 ~]# ls -l /home/maxpatrol/bin/iptables
-r-x------. 1 maxpatrol maxpatrol 93632 Nov 15 16:46 /home/maxpatrol/bin/iptables


## Set file capabilities on the executable copy

[root@rhel75 ~]# setcap CAP_NET_RAW,CAP_NET_ADMIN+ep /home/maxpatrol/bin/iptables

Now you are permitted to list all rules without the SUDO keyword. Any arguments are allowed.

[maxpatrol@rhel75 ~]$ cd ./bin/
[maxpatrol@rhel75 bin]$ ./iptables -nvL
Chain INPUT (policy ACCEPT 7845 packets, 643K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 2481 packets, 367K bytes)
 pkts bytes target     prot opt in     out     source               destination
NOTE

Unlike option 2 where any user is permitted to execute the iptables utility, in option 3 the maxpatrol user is the only permitted user to execute the copy of the iptables executables.

 
Add /home/maxpatrol/bin to the PATH variable in .bash_profile file to pick the iptables executable copy by default.

[maxpatrol@rhel75 bin]$ export PATH=/home/maxpatrol/bin:$PATH
[maxpatrol@rhel75 bin]$ which iptables
~/bin/iptables

[maxpatrol@rhel75 bin]$ iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
NOTE

In Red Hat 6.x you will get the error when executing the iptables executable

[maxpatrol@rhel68 ~]# which iptables
/sbin/iptables

[maxpatrol@rhel68 ~]# readlink /sbin/iptables
/etc/alternatives/iptables.x86_64

[maxpatrol@rhel68 ~]# /etc/alternatives/iptables.x86_64 -nvL
iptables multi-purpose version: unknown subcommand "-nvL"

To fix that issue, use the iptables with argument main. For instance

[maxpatrol@rhel68 ~]# /etc/alternatives/iptables.x86_64 main -nvL

Chain INPUT (policy ACCEPT 159M packets, 126G bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 143M packets, 43G bytes)
 pkts bytes target     prot opt in     out     source               destination

To simulate the exact behavior of the executable copy as the original one, use the following code snippet. It will create a bash script with the name of iptables.

{
mkdir /home/maxpatrol/bin
cp /sbin/iptables /home/maxpatrol/bin/iptables.original.copy
echo "/home/maxpatrol/bin/iptables.original.copy main \${1}" > /home/maxpatrol/bin/iptables
setfacl -Rm u:maxpatrol:rx /home/maxpatrol/bin
setcap CAP_NET_RAW,CAP_NET_ADMIN+ep /home/maxpatrol/bin/iptables.original.copy
/home/maxpatrol/bin/iptables -nvL
}
NOTE

if you have the following error after executing the executable copy, execute it under the root user and then retry by a non-root user

## This will rise the error

[maxpatrol@S702AS-ASLogger ~]$ /home/maxpatrol/bin/iptables -nvL
FATAL: Error inserting ip_tables (/lib/modules/2.6.32-642.el6.x86_64/kernel/net/ipv4/netfilter/ip_tables.ko): 
Operation not permitted
iptables v1.4.7: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

[maxpatrol@S702AS-ASLogger ~]$ exit
logout

## Execute under root

[root@S702AS-ASLogger ~]# /home/maxpatrol/bin/iptables -nvL 2>&1 1>/dev/null

## Re-login as maxpatrol user and retry to exectue created script

[root@S702AS-ASLogger ~]# su - maxpatrol
[maxpatrol@S702AS-ASLogger ~]$ /home/maxpatrol/bin/iptables -nvL

Chain INPUT (policy ACCEPT 179 packets, 21575 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 164 packets, 22509 bytes)
 pkts bytes target     prot opt in     out     source               destination
NOTE

On Red Hat 5.x setcap doesn’t work, use either option 1 or 2 instead. For instance

[root@rhel511 ~]# setcap CAP_NET_RAW,CAP_NET_ADMIN+ep /home/maxpatrol/bin/iptables.original.copy
-bash: setcap: command not found

[root@rhel511 ~]# cat /etc/*release*
Enterprise Linux Enterprise Linux Server release 5.7 (Carthage)
cat: /etc/lsb-release.d: Is a directory
Oracle Linux Server release 5.7
Red Hat Enterprise Linux Server release 5.7 (Tikanga)

According to the Issue running the setcap command:

/usr/sbin/setcap is part of libcap 2 and is not available until Linux kernel version 2.6.24
/usr/sbin/setcap is not provided in RHEL 5 and cannot be copied from a later release of Red Hat Enterprise Linux.

Written At
31 OCT 201814:00
OEL Release
7.5 x64