[CentOS] IPtables block user from outbound ICMP

Wed Feb 24 18:42:29 UTC 2016
Alexander Dalloz <ad+lists at uni-x.org>

Am 24.02.2016 um 15:42 schrieb John Cenile:
> Hello,
> Is it possible at all to block all users other than root from sending
> outbound ICMP packets on an interface?
> At the moment we have the following two rules in our IPtables config:
> iptables -A OUTPUT -o eth1 -m owner --uid-owner 0 -j ACCEPT
> iptables -A OUTPUT -o eth1 -j DROP
> But this still allows ICMP for some reason (but *does* block other TCP/UDP
> packets, which is what we want, as well as ICMP).
> Thanks.

What do you want to achieve by not allowing outbound ICMP traffic?

Are you aware that ICMP has a larger set of different types, several of 
them required for a functional network.