[CentOS] IPtables block user from outbound ICMP

Wed Feb 24 17:20:42 UTC 2016
Gordon Messmer <gordon.messmer at gmail.com>

On 02/24/2016 06:42 AM, John Cenile wrote:
> Is it possible at all to block all users other than root from sending
> outbound ICMP packets on an interface?

That is, more or less, the default.  In order to send ICMP packets, an 
application must be root, or must have the CAP_NET_RAW capability (as 
root does).  /usr/bin/ping and ping6 have that capability set, stored in 
the filesystem.  Use "getcap /usr/bin/ping" to view it, or use "setcap 
-r" to remove them.

If you don't grant that capability to any binaries, and don't give users 
sudo or other "root" access, they won't be able to send ICMP packets.