Am 24.02.2016 um 16:07 schrieb Sylvain CANOINE: > Hello, > > ----- Mail original ----- >> De: "John Cenile" <jcenile1983 at gmail.com> >> À: "centos" <centos at centos.org> >> Envoyé: Mercredi 24 Février 2016 15:42:36 >> Objet: [CentOS] IPtables block user from outbound ICMP > >> Is it possible at all to block all users other than root from sending >> outbound ICMP packets on an interface? >> >> At the moment we have the following two rules in our IPtables config: >> >> iptables -A OUTPUT -o eth1 -m owner --uid-owner 0 -j ACCEPT >> iptables -A OUTPUT -o eth1 -j DROP >> >> But this still allows ICMP for some reason (but *does* block other TCP/UDP >> packets, which is what we want, as well as ICMP). > According to the iptables documentation (http://ipset.netfilter.org/iptables.man.html), not specifying "-p" is equivalent to specifying "-p all", which matches with all protocols, icmp included. So these rules are good. BUT... I suppose /bin/ping has a suid bit set, no ? > > Sylvain. > Pensez ENVIRONNEMENT : n'imprimer que si ncessaire Blocking the complete ICMP protocol is stupid and should not be recommended. ICMP echo request and echo reply are just 2 types of a bigger set of necessary ICMP types. It is safe to block those 2 while that does not really serve a purpose. A system not replying on ICMP echo request does not hide it from others. Alexander