[CentOS] IPtables block user from outbound ICMP

Gordon Messmer gordon.messmer at gmail.com
Wed Feb 24 17:20:42 UTC 2016


On 02/24/2016 06:42 AM, John Cenile wrote:
> Is it possible at all to block all users other than root from sending
> outbound ICMP packets on an interface?

That is, more or less, the default.  In order to send ICMP packets, an 
application must be root, or must have the CAP_NET_RAW capability (as 
root does).  /usr/bin/ping and ping6 have that capability set, stored in 
the filesystem.  Use "getcap /usr/bin/ping" to view it, or use "setcap 
-r" to remove them.

If you don't grant that capability to any binaries, and don't give users 
sudo or other "root" access, they won't be able to send ICMP packets.



More information about the CentOS mailing list