Print Friendly, PDF & Email
Listing iptables rules without being root user, without providing a sudo password, without setting SUID on the iptables executable, and without using sudo keyword.
RELATED

3 WAYS TO LIST ALL IPTABLES RULES BY A NON-ROOT USER

DEMO

For this demo, the user maxpatrol is used.

Back up your sudoers file.

[root@rhel511 ~]# cp /etc/sudoers /etc/sudoers.$(date +%d%b%y)
[root@rhel511 ~]# ls -l /etc/sudoers*
-r--r----- 1 root root 3515 Apr 20  2017 /etc/sudoers
-r--r----- 1 root root 3515 Nov 19 10:41 /etc/sudoers.19Nov18

Add the following line to the sudoers file.

maxpatrol ALL=(ALL) NOPASSWD:/sbin/iptables

It will allow the user maxpatrol to execute /sbin/iptables executable without providing a password.

For instance

[root@rhel511 ~]# echo "maxpatrol ALL=(ALL) NOPASSWD:/sbin/iptables" >> /etc/sudoers
[root@rhel511 ~]# egrep maxpatrol /etc/sudoers
maxpatrol ALL=(ALL) NOPASSWD:/sbin/iptables

Switch to the maxpatrol user and test if you are able to list iptables rules.

############################
## Without sudo keyword
############################

[root@rhel511 ~]# su - maxpatrol
[maxpatrol@rhel511 ~]$ /sbin/iptables -nvL
iptables v1.3.5: can't initialize iptables table `filter': Permission denied (you must be root)

############################
## With sudo keyword
############################

[maxpatrol@rhel511 ~]$ sudo /sbin/iptables -nvL
Chain INPUT (policy ACCEPT 1 packets, 484 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 2 packets, 842 bytes)
 pkts bytes target     prot opt in     out     source               destination

It works with the SUDO keyword. To eliminate using the SUDO the following trick can be used.

Create an iptables script in the home directory of the maxpatrol user

{
echo "sudo /sbin/iptables \${1}" > /home/maxpatrol/iptables
chmod 500 iptables
ls -l iptables
}

For instance

[maxpatrol@rhel511 ~]$ {
> echo "sudo /sbin/iptables \${1}" > /home/maxpatrol/iptables
> chmod 500 iptables
> ls -l iptables
> }

-r-x------ 1 maxpatrol auditor 21 Nov 19 10:52 iptables

Execute the created iptables script to verify that it works

[maxpatrol@rhel511 ~]$ ./iptables -nvL
Chain INPUT (policy ACCEPT 2858K packets, 3924M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 2895K packets, 4656M bytes)
 pkts bytes target     prot opt in     out     source               destination

The script works. Add the script location to the PATH variable

[maxpatrol@rhel511 ~]$ export PATH=/home/maxpatrol:$PATH

Now you must be able to execute the script by its name

[maxpatrol@rhel511 ~]$ iptables -nvL

Chain INPUT (policy ACCEPT 3745K packets, 5030M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 3764K packets, 5551M bytes)
 pkts bytes target     prot opt in     out     source               destination

Add the script path to the PATH variable in .bash_profile file. For instance

[maxpatrol@rhel511 ~]$ echo "export PATH=/home/maxpatrol:\${PATH}" >> ~/.bash_profile
[maxpatrol@rhel511 ~]$ egrep PATH ~/.bash_profile
PATH=$PATH:$HOME/bin
export PATH
export PATH=/home/maxpatrol:${PATH}

Re-login as the maxpatrol user and verify it again

#########################
## Re-login
#########################

[maxpatrol@rhel511 ~]$ exit
logout
[root@rhel511 ~]# su - maxpatrol

#########################
## Ensure the iptables command points to your script
#########################

[maxpatrol@rhel511 ~]$ which iptables
~/iptables

#########################
## Execute the script
#########################

[maxpatrol@rhel511 ~]$ iptables -nvL
Chain INPUT (policy ACCEPT 5058K packets, 6191M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 5106K packets, 6848M bytes)
 pkts bytes target     prot opt in     out     source               destination

The script works and lists iptables rules without SUDO keyword and without providing any password.

Written At
31 OCT 201813:00
Red Hat Release
5.7 x64 (Tikanga)