LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-20-2012, 11:09 AM   #1
CrAzYoNi
Member
 
Registered: Sep 2008
Posts: 36

Rep: Reputation: 0
Question User permissions to see IPTables rules & packets.


Dear all,
I'm trying to grant access to my account user to see IPTables rules and packets statistics w\o using the Root account.
How may I do it?
I've tried to add the line: user localhost= NOPASSWD: /sbin/iptables -vnxL to my Sudoers file... but stil IPTables blocks me.
It seems like IPTables it-self is blocking the user account and not the system permissions.

P.S I'm using CentOS 6.3 & Fedora 17 in parallel.

Thanks in advance.

Last edited by CrAzYoNi; 10-20-2012 at 01:10 PM. Reason: Solved thanks to Nugat
 
Old 10-20-2012, 11:49 AM   #2
nugat
Member
 
Registered: Sep 2012
Posts: 122

Rep: Reputation: 31
Quote:
Originally Posted by CrAzYoNi View Post
I'm trying to grant access to my account user to see IPTables rules and packets statistics w\o using the Root account.
How may I do it?
I've tried to add the line: user localhost= NOPASSWD: /sbin/iptables -vnxL to my Sudoers file... but stil IPTables blocks me.
It seems like IPTables it-self is blocking the user account and not the system permissions.
try changing your sudo rule to:
Code:
user ALL = (root) NOPASSWD: /sbin/iptables -vnxL
 
Old 10-20-2012, 12:00 PM   #3
CrAzYoNi
Member
 
Registered: Sep 2008
Posts: 36

Original Poster
Rep: Reputation: 0
It didn't worked for me.

<code>
# cat /etc/sudoers | grep user
user localhost=(root) NOPASSWD: /sbin/iptables -vnxL

##

$ iptables -vnxL
iptables v1.4.14: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
</code>
 
Old 10-20-2012, 12:07 PM   #4
nugat
Member
 
Registered: Sep 2012
Posts: 122

Rep: Reputation: 31
Quote:
Originally Posted by CrAzYoNi View Post
It didn't worked for me.

<code>
# cat /etc/sudoers | grep user
user localhost=(root) NOPASSWD: /sbin/iptables -vnxL

##

$ iptables -vnxL
iptables v1.4.14: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
</code>
when logged in as the user, what does this command tell you?

Code:
sudo -l
(that is a lower case L, not a "one")

Edit:
the "localhost" you've used in your rule must be the hostname of the system. if it isn't, change it to that, or use ALL.

Last edited by nugat; 10-20-2012 at 12:10 PM. Reason: hostname
 
Old 10-20-2012, 12:10 PM   #5
CrAzYoNi
Member
 
Registered: Sep 2008
Posts: 36

Original Poster
Rep: Reputation: 0
<code>
$ sudo -l
[sudo] password for user:
Matching Defaults entries for user on this host:
requiretty, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME
LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME
LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User user may run the following commands on this host:
(ALL) ALL
</code>

Last edited by CrAzYoNi; 10-20-2012 at 12:10 PM. Reason: .
 
Old 10-20-2012, 12:13 PM   #6
nugat
Member
 
Registered: Sep 2012
Posts: 122

Rep: Reputation: 31
i'm confused, did you run "sudo -l" as root or as the user? is there a third username in the mix?

did you see my edit to my previous post?
 
Old 10-20-2012, 12:18 PM   #7
CrAzYoNi
Member
 
Registered: Sep 2008
Posts: 36

Original Poster
Rep: Reputation: 0
I've run "sudo -l" as the user, just after creating a new tab on my Deksotp (Gnome) env.
There is another user account instead of "user" which I'm just replacing here in the output.

And I've noticed your edit + tried ALL & Localhost already.
I'm using several hostnames to my system... localhost is replying to pings though (as the local machine).
 
Old 10-20-2012, 12:26 PM   #8
nugat
Member
 
Registered: Sep 2012
Posts: 122

Rep: Reputation: 31
i didn't notice if you stated this: are you trying to run the command with sudo in front of it? e.g.:
Code:
sudo /sbin/iptables -vnxL
 
Old 10-20-2012, 12:29 PM   #9
CrAzYoNi
Member
 
Registered: Sep 2008
Posts: 36

Original Poster
Rep: Reputation: 0
Actually, not.
But when I do that, with sudo in the beginning, I still need to provide password - in order to get the output - which works then.
 
Old 10-20-2012, 12:48 PM   #10
nugat
Member
 
Registered: Sep 2012
Posts: 122

Rep: Reputation: 31
according to your (ALL) ALL when you run "sudo -l", it seems as though that rule is overriding your iptables-specific one.

can you comment out that (ALL) ALL rule? is that in /etc/sudoers or in a /etc/sudoers.d/* file?
 
Old 10-20-2012, 01:09 PM   #11
CrAzYoNi
Member
 
Registered: Sep 2008
Posts: 36

Original Poster
Rep: Reputation: 0
Nugat, THANKS!
Commenting the %wheel ALL=(ALL) solved by issue, thanks a lot!
 
Old 10-20-2012, 01:10 PM   #12
nugat
Member
 
Registered: Sep 2012
Posts: 122

Rep: Reputation: 31
A-ha! so you were in the wheel group. glad you got it sorted.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Interesting distribution of packets over my iptables rules joeldavis Linux - Networking 1 03-13-2011 09:35 PM
iptables rules to NAT or FORWARD packets between LAN clients templeton Linux - Networking 5 11-28-2010 10:00 AM
iptables & DNS packets mpapet Linux - Networking 1 05-10-2010 03:01 PM
iptables rules for RHEL5 & AD wegadnie Linux - Networking 3 07-20-2009 12:19 PM
How to write two snort detection rules to alert on packets to those rules romafiel *BSD 0 06-08-2007 08:00 PM


All times are GMT -5. The time now is 07:09 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration