USING IPTABLES UTILITY AS A NON-ROOT USER
3 WAYS TO LIST ALL IPTABLES RULES BY A NON-ROOT USER
For this demo, the user maxpatrol is used.
Back up your sudoers file.
[root@rhel511 ~]# cp /etc/sudoers /etc/sudoers.$(date +%d%b%y)
[root@rhel511 ~]# ls -l /etc/sudoers*
-r--r----- 1 root root 3515 Apr 20 2017 /etc/sudoers
-r--r----- 1 root root 3515 Nov 19 10:41 /etc/sudoers.19Nov18Add the following line to the sudoers file.
It will allow the user maxpatrol to execute /sbin/iptables executable without providing a password.
For instance
[root@rhel511 ~]# echo "maxpatrol ALL=(ALL) NOPASSWD:/sbin/iptables" >> /etc/sudoers
[root@rhel511 ~]# egrep maxpatrol /etc/sudoers
maxpatrol ALL=(ALL) NOPASSWD:/sbin/iptablesSwitch to the maxpatrol user and test if you are able to list iptables rules.
############################
## Without sudo keyword
############################
[root@rhel511 ~]# su - maxpatrol
[maxpatrol@rhel511 ~]$ /sbin/iptables -nvL
iptables v1.3.5: can't initialize iptables table `filter': Permission denied (you must be root)
############################
## With sudo keyword
############################
[maxpatrol@rhel511 ~]$ sudo /sbin/iptables -nvL
Chain INPUT (policy ACCEPT 1 packets, 484 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2 packets, 842 bytes)
pkts bytes target prot opt in out source destinationIt works with the SUDO keyword. To eliminate using the SUDO the following trick can be used.
Create an iptables script in the home directory of the maxpatrol user
echo "sudo /sbin/iptables \${1}" > /home/maxpatrol/iptables
chmod 500 iptables
ls -l iptables
}
For instance
[maxpatrol@rhel511 ~]$ {
> echo "sudo /sbin/iptables \${1}" > /home/maxpatrol/iptables
> chmod 500 iptables
> ls -l iptables
> }
-r-x------ 1 maxpatrol auditor 21 Nov 19 10:52 iptablesExecute the created iptables script to verify that it works
[maxpatrol@rhel511 ~]$ ./iptables -nvL
Chain INPUT (policy ACCEPT 2858K packets, 3924M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2895K packets, 4656M bytes)
pkts bytes target prot opt in out source destinationThe script works. Add the script location to the PATH variable
[maxpatrol@rhel511 ~]$ export PATH=/home/maxpatrol:$PATHNow you must be able to execute the script by its name
[maxpatrol@rhel511 ~]$ iptables -nvL
Chain INPUT (policy ACCEPT 3745K packets, 5030M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3764K packets, 5551M bytes)
pkts bytes target prot opt in out source destinationAdd the script path to the PATH variable in .bash_profile file. For instance
[maxpatrol@rhel511 ~]$ echo "export PATH=/home/maxpatrol:\${PATH}" >> ~/.bash_profile
[maxpatrol@rhel511 ~]$ egrep PATH ~/.bash_profile
PATH=$PATH:$HOME/bin
export PATH
export PATH=/home/maxpatrol:${PATH}Re-login as the maxpatrol user and verify it again
#########################
## Re-login
#########################
[maxpatrol@rhel511 ~]$ exit
logout
[root@rhel511 ~]# su - maxpatrol
#########################
## Ensure the iptables command points to your script
#########################
[maxpatrol@rhel511 ~]$ which iptables
~/iptables
#########################
## Execute the script
#########################
[maxpatrol@rhel511 ~]$ iptables -nvL
Chain INPUT (policy ACCEPT 5058K packets, 6191M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5106K packets, 6848M bytes)
pkts bytes target prot opt in out source destinationThe script works and lists iptables rules without SUDO keyword and without providing any password.
