Hello,
----- Mail original -----
> De: "John Cenile" <jcenile1983@xxxxxxxxx>
> À: "centos" <centos@xxxxxxxxxx>
> Envoyé: Mercredi 24 Février 2016 15:42:36
> Objet: IPtables block user from outbound ICMP
> Is it possible at all to block all users other than root from sending
> outbound ICMP packets on an interface?
>
> At the moment we have the following two rules in our IPtables config:
>
> iptables -A OUTPUT -o eth1 -m owner --uid-owner 0 -j ACCEPT
> iptables -A OUTPUT -o eth1 -j DROP
>
> But this still allows ICMP for some reason (but *does* block other TCP/UDP
> packets, which is what we want, as well as ICMP).
According to the iptables documentation (http://ipset.netfilter.org/iptables.man.html), not specifying "-p" is equivalent to specifying "-p all", which matches with all protocols, icmp included. So these rules are good. BUT... I suppose /bin/ping has a suid bit set, no ?
Sylvain.
Pensez ENVIRONNEMENT : n'imprimer que si ncessaire
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
