Hello,
----- Mail original -----
De: "John Cenile" jcenile1983@gmail.com À: "centos" centos@centos.org Envoyé: Mercredi 24 Février 2016 15:42:36 Objet: [CentOS] IPtables block user from outbound ICMP
Is it possible at all to block all users other than root from sending outbound ICMP packets on an interface?
At the moment we have the following two rules in our IPtables config:
iptables -A OUTPUT -o eth1 -m owner --uid-owner 0 -j ACCEPT iptables -A OUTPUT -o eth1 -j DROP
But this still allows ICMP for some reason (but *does* block other TCP/UDP packets, which is what we want, as well as ICMP).
According to the iptables documentation (http://ipset.netfilter.org/iptables.man.html), not specifying "-p" is equivalent to specifying "-p all", which matches with all protocols, icmp included. So these rules are good. BUT... I suppose /bin/ping has a suid bit set, no ?
Sylvain. Pensez ENVIRONNEMENT : n'imprimer que si ncessaire