Am 24.02.2016 um 16:07 schrieb Sylvain CANOINE:
Hello,
----- Mail original -----
De: "John Cenile" <jcenile1983@xxxxxxxxx>
À: "centos" <centos@xxxxxxxxxx>
Envoyé: Mercredi 24 Février 2016 15:42:36
Objet: IPtables block user from outbound ICMP
Is it possible at all to block all users other than root from sending
outbound ICMP packets on an interface?
At the moment we have the following two rules in our IPtables config:
iptables -A OUTPUT -o eth1 -m owner --uid-owner 0 -j ACCEPT
iptables -A OUTPUT -o eth1 -j DROP
But this still allows ICMP for some reason (but *does* block other TCP/UDP
packets, which is what we want, as well as ICMP).
According to the iptables documentation (http://ipset.netfilter.org/iptables.man.html), not specifying "-p" is equivalent to specifying "-p all", which matches with all protocols, icmp included. So these rules are good. BUT... I suppose /bin/ping has a suid bit set, no ?
Sylvain.
Pensez ENVIRONNEMENT : n'imprimer que si ncessaire
Blocking the complete ICMP protocol is stupid and should not be recommended.
ICMP echo request and echo reply are just 2 types of a bigger set of
necessary ICMP types. It is safe to block those 2 while that does not
really serve a purpose. A system not replying on ICMP echo request does
not hide it from others.
Alexander
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
