On Mon, 5 Jul 2004 10:34:16 -0400, Alistair Tonner <Alistair@xxxxxxxxxx> wrote:
On July 5, 2004 12:29 am, Michael Frank wrote:
On Sun, 04 Jul 2004 16:59:04 +0200, Cedric Blancher
<blancher@xxxxxxxxxxxxxxxxxx> wrote:
> Le dim 04/07/2004 à 15:16, Michael Frank a écrit :
>> Would like to block ports depending on the group in use
>
> See owner match :
>
> cbr@anduril:~$ iptables -m owner --help
> iptables v1.2.11
> [...]
> OWNER match v1.2.11 options:
> [!] --uid-owner userid Match local uid
> [!] --gid-owner groupid Match local gid
> [!] --pid-owner processid Match local pid
> [!] --sid-owner sessionid Match local sid
> [!] --cmd-owner name Match local command name
>
> --gid-owner seems to satisfy your needs.
Thank you for the pointer. This works very well.
I think there is a problem though wrt ICMP requests. The following
rule allows _everyone_ to ping, but I would expect only root to be able to.
ACCEPT all -- anywhere anywhere OWNER UID match
root
This rule has no effect on ICMP i am mhf and can't ping.
ACCEPT all -- anywhere anywhere OWNER UID match
mhf
This is with Vanilla kernel 2.4.24. Any know issue here?
I would suggest that in all likelyhood your ping/traceroute are setuid root.
*grin*
ping must be root or suid root, the packet count of "UID match root"
increases with ping and nmap does work non root.
Thank you :)
Michael
