[CentOS] IPtables block user from outbound ICMP

Wed Feb 24 18:25:31 UTC 2016
Alexander Dalloz <ad+lists at uni-x.org>

Am 24.02.2016 um 16:07 schrieb Sylvain CANOINE:
> Hello,
> ----- Mail original -----
>> De: "John Cenile" <jcenile1983 at gmail.com>
>> À: "centos" <centos at centos.org>
>> Envoyé: Mercredi 24 Février 2016 15:42:36
>> Objet: [CentOS] IPtables block user from outbound ICMP
>> Is it possible at all to block all users other than root from sending
>> outbound ICMP packets on an interface?
>> At the moment we have the following two rules in our IPtables config:
>> iptables -A OUTPUT -o eth1 -m owner --uid-owner 0 -j ACCEPT
>> iptables -A OUTPUT -o eth1 -j DROP
>> But this still allows ICMP for some reason (but *does* block other TCP/UDP
>> packets, which is what we want, as well as ICMP).
> According to the iptables documentation (http://ipset.netfilter.org/iptables.man.html), not specifying "-p" is equivalent to specifying "-p all", which matches with all protocols, icmp included. So these rules are good. BUT... I suppose /bin/ping has a suid bit set, no ?
> Sylvain.
> Pensez ENVIRONNEMENT : n'imprimer que si ncessaire

Blocking the complete ICMP protocol is stupid and should not be recommended.

ICMP echo request and echo reply are just 2 types of a bigger set of 
necessary ICMP types. It is safe to block those 2 while that does not 
really serve a purpose. A system not replying on ICMP echo request does 
not hide it from others.