Can you list iptables as a non-root user and why?
1,592
Solution 1
It appears iptables needs both CAP_NET_RAW and CAP_NET_ADMIN to be able to read the tables. I tried
$ cp /usr/sbin/iptables ~/iptables # note, it may be a symbolic link
$ sudo setcap CAP_NET_RAW,CAP_NET_ADMIN+ep ~/iptables
$ ~/iptables -nvL
and it was ok.
Solution 2
Indeed, iptables uses the netlink interface to communicate with the kernel. It opens a netlink socket to xtables, then issues commands via this socket. Access control is performed when the socket is opened, not for individual commands, so the same permissions are required for listing and modifying rules. The only way to allow a user to list rules but not modify them is to give them a carefully-written setuid (or setcap) executable.
It would be nice if there was an interface to netfilter in /proc, but as far as I know the task of implementing it has never been completed.
Related videos on Youtube
![IPTABLES [PART-1] : "UNDERSTANDING THE CONCEPT"](https://i.ytimg.com/vi/vbhr4csDeI4/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLBovKYd5heeT0eQFP4enqBJ_GCa1Q)
07 : 53
IPTABLES [PART-1] : "UNDERSTANDING THE CONCEPT"
06 : 28
Linux Firewall: IPTables to Block/Allow Incoming Traffic
31 : 02
iptables Complete Guide | HackerSploit Linux Security
02 : 27
Unix & Linux: Can you list iptables as a non-root user and why? (2 Solutions!!)
01 : 51
Unix & Linux: DNS only allowed when root user is on IPTABLES list
Author by
krk phr
Updated on September 18, 2022Comments
-
krk phr almost 2 years
public class MainActivity extends AppCompatActivity { @Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.activity_main); } @Override public boolean onCreateOptionsMenu(Menu menu) { // Inflate the menu; this adds items to the action bar if it is present. getMenuInflater().inflate(R.menu.menu_main, menu); return true; } @Override public boolean onOptionsItemSelected(MenuItem item) { // Handle action bar item clicks here. The action bar will // automatically handle clicks on the Home/Up button, so long // as you specify a parent activity in AndroidManifest.xml. int id = item.getItemId(); //noinspection SimplifiableIfStatement if (id == R.id.action_settings) { return true; } return super.onOptionsItemSelected(item); } /** * Increase the score for Team A by 1 point. */ public void addOneForTeamA(View v) { displayForTeamA(1); } /** * Increase the score for Team A by 2 points. */ public void addTwoForTeamA(View v) { displayForTeamA(2); } /** * Increase the score for Team A by 3 points. */ public void addThreeForTeamA(View v) { displayForTeamA(3); } /** * Displays the given score for Team A. */ public void displayForTeamA(int score) { TextView scoreView = (TextView) findViewById(R.id.team_a_score); scoreView.setText(String.valueOf(score)); } }these are the two errors that i am getting please help me solve them. these lines of code are actualyy copied fromgithub udacity android for beginer code
Error:(21, 36) error: cannot find symbol variable menu
Error:(33, 23) error: cannot find symbol variable action_settings-
W0rmH0le almost 8 yearsDo you have any item in res/menu/menu_main.xml with ID == action_settings? -
krk phr almost 8 yearsnope actually i have done a very similar code before and it worked just fine i dont know why am i geting this now
-
W0rmH0le almost 8 yearsThis error is happening because there are no views (or menu items) with ID == action_settings. Check res/menu/menu_main.xml and get the proper ID (or share file res/menu/menu_main.xml)
-
krk phr almost 8 yearsi ll just reask the question with xml code and the correct code too please see if uou figure out the solution to this app
-
krk phr almost 8 yearsthank you all of you for helping.@Guilherme P thank you your advise worked.just deleted those things
-
jesse_b almost 7 yearsDo those linked questions really include a workaround though? I see suggestions to just use root and/or to use sudo, but both of those would allow the users to also modify rules no? -
Hakan Baba almost 7 yearsAs a workaround they suggest to wrapsudo iptablesin a script or call iptables in a cron job by root. I thought of these as workarounds to fall back to the privileged user in a different way. -
jesse_b almost 7 yearsYea, but your question has me thinking there is a good use case for more granular
iptablespermissions. The first thing I thought when I read this was low tier support personnel could need the ability to view firewall rules as part of initial troubleshooting on an incident but have no access to modify them. If you gave them sudo permissions you would be giving them way more than just view iptables. Even as one person suggested giving them permission to sudo a script could be problematic but that sounds like the closest thing so far.
-
-
Paulo Neves over 5 yearsThe true answer, for a huge class of problems
-
0e1val about 2 yearsPlease note that the original question is for situations without root access:
sudois root access, and setuid bit requires root access too.
