[CentOS] IPtables block user from outbound ICMP

Wed Feb 24 15:07:07 UTC 2016
Sylvain CANOINE <sylvain.canoine at tv5monde.org>


----- Mail original -----
> De: "John Cenile" <jcenile1983 at gmail.com>
> À: "centos" <centos at centos.org>
> Envoyé: Mercredi 24 Février 2016 15:42:36
> Objet: [CentOS] IPtables block user from outbound ICMP

> Is it possible at all to block all users other than root from sending
> outbound ICMP packets on an interface?
> At the moment we have the following two rules in our IPtables config:
> iptables -A OUTPUT -o eth1 -m owner --uid-owner 0 -j ACCEPT
> iptables -A OUTPUT -o eth1 -j DROP
> But this still allows ICMP for some reason (but *does* block other TCP/UDP
> packets, which is what we want, as well as ICMP).
According to the iptables documentation (http://ipset.netfilter.org/iptables.man.html), not specifying "-p" is equivalent to specifying "-p all", which matches with all protocols, icmp included. So these rules are good. BUT... I suppose /bin/ping has a suid bit set, no ?

Pensez ENVIRONNEMENT : n'imprimer que si ncessaire