I'm submitting a PR as a request for comments/review for capabilities (7) support.
The code drops all privileges except CAP_NET_ADMIN and CAP_NET_RAW and switches the effective user ID to a non-privileged user and group. specified in the config file.
This solution is not without problems, as (obviously) an attacker could go back to UID0 and place shell scripts in /etc/cron.d/ or use similar attack vectors. To avoid this problem, a chroot environment would be required. CAP_CHROOT is not permitted anymore, so breaking out would not be a problem.
Turns out I was mistaken about some things - I had accidentally still ran iptables as root. The current code now drops from UID0 to a non-privileged user at startup. There are two occasions where the effective user ID is set back to 0: * in execute() in util.c * in fw_iptables.c with a wrapper around popen
Re your earlier comment:
This will also need a switch_to_root() call then. INHERITABLE is probably also not needed in the patch above.