Why is the -L (list) option of iptables not available to non-root users?


  • QA Engineer

    Many tools in Linux allow for checking things as a non-root user. For example, at any time, I can check whether a service is running:

    $ systemctl status ntp
    

    However, the iptables needs to be used as root whatever the option. I'm wondering what issue there could be to allow -L to a non-root user:

    $ iptables -L -nvx
    

    still tells me that I need to be root.

    Wouldn't a good hacker be able to figure out the firewall anyway and thus blocking the -L option is just obfuscation which as we know is not security?



  • It isn't available because nobody has gone through the extra effort to make it available.

    iptables works by opening a connection to the part of the system that's responsible for managing the firewall, which is inside the kernel. (See https://unix.stackexchange.com/questions/385109/can-you-list-iptables-as-a-non-root-user-and-why for more details.) This subsystem has a very simple authorization model: root can connect, and others can't connect. (More precisely, to connect, you need the right capabilities, but that doesn't matter here.) There is no further authorization based on the commands (listing or modification).

    It is possible to have confidential information in the firewall settings, for example a port knocking sequence. Enabling that wasn't a primary design goal of Linux's firewall mechanism, but it happens to be supported.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2