Hello,
Is it possible at all to block all users other than root from sending outbound ICMP packets on an interface?
At the moment we have the following two rules in our IPtables config:
iptables -A OUTPUT -o eth1 -m owner --uid-owner 0 -j ACCEPT iptables -A OUTPUT -o eth1 -j DROP
But this still allows ICMP for some reason (but *does* block other TCP/UDP packets, which is what we want, as well as ICMP).
Thanks.
Hello,
----- Mail original -----
De: "John Cenile" jcenile1983@gmail.com À: "centos" centos@centos.org Envoyé: Mercredi 24 Février 2016 15:42:36 Objet: [CentOS] IPtables block user from outbound ICMP
Is it possible at all to block all users other than root from sending outbound ICMP packets on an interface?
At the moment we have the following two rules in our IPtables config:
iptables -A OUTPUT -o eth1 -m owner --uid-owner 0 -j ACCEPT iptables -A OUTPUT -o eth1 -j DROP
But this still allows ICMP for some reason (but *does* block other TCP/UDP packets, which is what we want, as well as ICMP).
According to the iptables documentation (http://ipset.netfilter.org/iptables.man.html), not specifying "-p" is equivalent to specifying "-p all", which matches with all protocols, icmp included. So these rules are good. BUT... I suppose /bin/ping has a suid bit set, no ?
Sylvain. Pensez ENVIRONNEMENT : n'imprimer que si ncessaire
Am 24.02.2016 um 16:07 schrieb Sylvain CANOINE:
Hello,
----- Mail original -----
De: "John Cenile" jcenile1983@gmail.com À: "centos" centos@centos.org Envoyé: Mercredi 24 Février 2016 15:42:36 Objet: [CentOS] IPtables block user from outbound ICMP
Is it possible at all to block all users other than root from sending outbound ICMP packets on an interface?
At the moment we have the following two rules in our IPtables config:
iptables -A OUTPUT -o eth1 -m owner --uid-owner 0 -j ACCEPT iptables -A OUTPUT -o eth1 -j DROP
But this still allows ICMP for some reason (but *does* block other TCP/UDP packets, which is what we want, as well as ICMP).
According to the iptables documentation (http://ipset.netfilter.org/iptables.man.html), not specifying "-p" is equivalent to specifying "-p all", which matches with all protocols, icmp included. So these rules are good. BUT... I suppose /bin/ping has a suid bit set, no ?
Sylvain. Pensez ENVIRONNEMENT : n'imprimer que si ncessaire
Blocking the complete ICMP protocol is stupid and should not be recommended.
ICMP echo request and echo reply are just 2 types of a bigger set of necessary ICMP types. It is safe to block those 2 while that does not really serve a purpose. A system not replying on ICMP echo request does not hide it from others.
Alexander
On Wed, February 24, 2016 12:25 pm, Alexander Dalloz wrote:
Am 24.02.2016 um 16:07 schrieb Sylvain CANOINE:
Hello, ----- Mail original -----
De: "John Cenile" jcenile1983@gmail.com Ã: "centos" centos@centos.org Envoyé: Mercredi 24 Février 2016 15:42:36 Objet: [CentOS] IPtables block user from outbound ICMP Is it possible at all to block all users other than root from sending
outbound ICMP packets on an interface?
At the moment we have the following two rules in our IPtables config:
iptables -A OUTPUT -o eth1 -m owner --uid-owner 0 -j ACCEPT
iptables -A OUTPUT -o eth1 -j DROP But this still allows ICMP for some reason (but *does* block other
TCP/UDP
packets, which is what we want, as well as ICMP).
According to the iptables documentation (http://ipset.netfilter.org/iptables.man.html), not specifying "-p" is
equivalent to specifying "-p all", which matches with all protocols, icmp included. So these rules are good. BUT... I suppose /bin/ping has a
suid bit set, no ? Sylvain. Pensez ENVIRONNEMENT : n'imprimer que si ncessaire
Blocking the complete ICMP protocol is stupid and should not be recommended.
ICMP echo request and echo reply are just 2 types of a bigger set of
necessary ICMP types. It is safe to block those 2 while that does not really serve a purpose. A system not replying on ICMP echo request does not hide it from others.
Indeed. Not replying ping is rather Windows-ish behavior (still standard Windows behavior out of box. They still must have rather low opinion about their own programmers I guess and still are scared of [in]famous "ping of death").
If one doesn't trust local users to the extent one doesn't allow them to send outbound pings, then one has rather large restriction imposing on users work to do IMHO. I do have some boxes like that, and on these boxes I indeed have rather restricted set of tools/commands accessible for users. In addition, users though can build or download stuff, they can not execute anything of their own. In other words, all places users can write to are mounted with "nosuid, nosgid, noexec" options, the last one is the one I mean here (do your own thinking why other two are also there). Once that is done, you can remove "others" read and execute bits from ping command (and other commands you don't want the to be able to use). Sending ping in particular requires opening raw socket, which only root (and group wheel) can do, that's why ping command has SGID set. But again, with that level of trust to local users, outbound ping is tiny small thing out of big list one has to do. I found this too tiresome to maintain this as a real host, for this reason when I need something like that (awfully restricted users, still having local access to the system), I just - hm, somebody hopefully will chime in how to do similar thing on Linux; I'm doing this on FreeBSD, and I just start separate jail, specifically configured for users logins and local access to the system (which is not a system, and which contains only tools I want to give users, the services of this same host run in different jails, mostly one service per jail). Hopefully, someone will tell how he/she does similar thing in CentOS.
Just my $0.02.
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Thanks all, that seemed to be the problem (the suid bit). :)
On 25 February 2016 at 06:03, Valeri Galtsev galtsev@kicp.uchicago.edu wrote:
On Wed, February 24, 2016 12:25 pm, Alexander Dalloz wrote:
Am 24.02.2016 um 16:07 schrieb Sylvain CANOINE:
Hello, ----- Mail original -----
De: "John Cenile" jcenile1983@gmail.com À: "centos" centos@centos.org Envoyé: Mercredi 24 Février 2016 15:42:36 Objet: [CentOS] IPtables block user from outbound ICMP Is it possible at all to block all users other than root from sending
outbound ICMP packets on an interface?
At the moment we have the following two rules in our IPtables config:
iptables -A OUTPUT -o eth1 -m owner --uid-owner 0 -j ACCEPT
iptables -A OUTPUT -o eth1 -j DROP But this still allows ICMP for some reason (but *does* block other
TCP/UDP
packets, which is what we want, as well as ICMP).
According to the iptables documentation (http://ipset.netfilter.org/iptables.man.html), not specifying "-p" is
equivalent to specifying "-p all", which matches with all protocols, icmp included. So these rules are good. BUT... I suppose /bin/ping has a
suid bit set, no ? Sylvain. Pensez ENVIRONNEMENT : n'imprimer que si ncessaire
Blocking the complete ICMP protocol is stupid and should not be recommended.
ICMP echo request and echo reply are just 2 types of a bigger set of
necessary ICMP types. It is safe to block those 2 while that does not really serve a purpose. A system not replying on ICMP echo request does not hide it from others.
Indeed. Not replying ping is rather Windows-ish behavior (still standard Windows behavior out of box. They still must have rather low opinion about their own programmers I guess and still are scared of [in]famous "ping of death").
If one doesn't trust local users to the extent one doesn't allow them to send outbound pings, then one has rather large restriction imposing on users work to do IMHO. I do have some boxes like that, and on these boxes I indeed have rather restricted set of tools/commands accessible for users. In addition, users though can build or download stuff, they can not execute anything of their own. In other words, all places users can write to are mounted with "nosuid, nosgid, noexec" options, the last one is the one I mean here (do your own thinking why other two are also there). Once that is done, you can remove "others" read and execute bits from ping command (and other commands you don't want the to be able to use). Sending ping in particular requires opening raw socket, which only root (and group wheel) can do, that's why ping command has SGID set. But again, with that level of trust to local users, outbound ping is tiny small thing out of big list one has to do. I found this too tiresome to maintain this as a real host, for this reason when I need something like that (awfully restricted users, still having local access to the system), I just - hm, somebody hopefully will chime in how to do similar thing on Linux; I'm doing this on FreeBSD, and I just start separate jail, specifically configured for users logins and local access to the system (which is not a system, and which contains only tools I want to give users, the services of this same host run in different jails, mostly one service per jail). Hopefully, someone will tell how he/she does similar thing in CentOS.
Just my $0.02.
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 25 Feb 2016 00:30, "John Cenile" jcenile1983@gmail.com wrote:
Thanks all, that seemed to be the problem (the suid bit). :)
Well if you really want to call it a problem... Blocking ICMP via a host based firewall remains pretty silly.
Bear in mind that since it's a file permission this will be 'fixed' on any update of ping. Not that ping gets many updates but there you go...
I'm still curious as to why this was a requirement.
On Thu, 2016-02-25 at 07:19 +0000, James Hogarth wrote:
Well if you really want to call it a problem... Blocking ICMP via a host based firewall remains pretty silly.
On all servers I used IPtables to block (DROP) all incoming ICMPs except:-
type 0 state RELATED,ESTABLISHED type 3 state RELATED,ESTABLISHED type 8 state NEW,RELATED,ESTABLISHED type 11 state RELATED,ESTABLISHED
All outgoing ICMPs are blocked except for:-
type 0 state RELATED,ESTABLISHED type 8 state NEW,RELATED,ESTABLISHED
Am I silly too ;-)
On 02/24/2016 06:42 AM, John Cenile wrote:
Is it possible at all to block all users other than root from sending outbound ICMP packets on an interface?
That is, more or less, the default. In order to send ICMP packets, an application must be root, or must have the CAP_NET_RAW capability (as root does). /usr/bin/ping and ping6 have that capability set, stored in the filesystem. Use "getcap /usr/bin/ping" to view it, or use "setcap -r" to remove them.
If you don't grant that capability to any binaries, and don't give users sudo or other "root" access, they won't be able to send ICMP packets.
Am 24.02.2016 um 15:42 schrieb John Cenile:
Hello,
Is it possible at all to block all users other than root from sending outbound ICMP packets on an interface?
At the moment we have the following two rules in our IPtables config:
iptables -A OUTPUT -o eth1 -m owner --uid-owner 0 -j ACCEPT iptables -A OUTPUT -o eth1 -j DROP
But this still allows ICMP for some reason (but *does* block other TCP/UDP packets, which is what we want, as well as ICMP).
Thanks.
What do you want to achieve by not allowing outbound ICMP traffic?
Are you aware that ICMP has a larger set of different types, several of them required for a functional network.
Alexander
-
Alexander Dalloz -
Always Learning -
Gordon Messmer -
James Hogarth -
John Cenile -
Sylvain CANOINE -
Valeri Galtsev