Possible bug in iptables : -m --uid-owner not working with ping

matjaž <matjazbercic@xxxxxxxxxxx> · Mon, 22 Oct 2012 16:38:35 +0200

Hi all,
Is it possible that owner matching does not work correctly ?
I tried blocking internet access to one user, but found out he can still 
use ping.
Pleas see below : (I removed some lines from ping output for clarity - 
also there are no other rules in iptables)

matjaz@laptop:~$ iptables --version
iptables v1.4.16.3
matjaz@laptop:~$ sudo iptables -F -t nat ; sudo iptables -F
matjaz@laptop:~$ sudo -u nonet ping -c 3 173.194.35.145
PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data.
64 bytes from 173.194.35.145: icmp_req=1 ttl=51 time=46.9 ms
# ok, works
matjaz@laptop:~$ id nonet
uid=1002(nonet) gid=1003(nonet) groups=1003(nonet)
matjaz@laptop:~$ sudo iptables -A OUTPUT -p icmp -m owner --uid-owner 
1002 -j REJECT
matjaz@laptop:~$ sudo -u nonet ping -c 3 173.194.35.145
PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data.
64 bytes from 173.194.35.145: icmp_req=1 ttl=51 time=46.7 ms
# not ok, still works
matjaz@laptop:~$ sudo iptables -A OUTPUT -p icmp -j REJECT
matjaz@laptop:~$ sudo -u nonet ping -c 3 173.194.35.145
PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data.
ping: sendmsg: Operation not permitted

My machine :
matjaz@laptop:~$ cat /etc/issue
Ubuntu 12.04.1 LTS \n \l
matjaz@laptop:~$ uname -a
Linux laptop 3.2.0-32-generic #51-Ubuntu SMP Wed Sep 26 21:33:09 UTC 
2012 x86_64 x86_64 x86_64 GNU/Linux

I installed the latest version of iptables (this didn't work even with 
the ubuntu supplied version) from source and rebooted before testing. I 
didn't uninstall the previous version before installation.

Also : the -match --uid-owner seems to work on other protocols.

Oddly enough, using group id instead seems to work :
matjaz@laptop:~$ sudo -u nonet ping -c 3 173.194.35.145
PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data.
64 bytes from 173.194.35.145: icmp_req=1 ttl=51 time=47.6 ms
--- 173.194.35.145 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 46.284/46.994/47.659/0.615 ms
matjaz@laptop:~$ sudo iptables -A OUTPUT -p icmp -m owner --gid-owner 
1003 -j REJECT
matjaz@laptop:~$ sudo -u nonet ping -c 3 173.194.35.145
PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data.
From 192.168.2.151 icmp_seq=1 Destination Port Unreachable
--- 173.194.35.145 ping statistics ---
0 packets transmitted, 0 received, +3 errors
matjaz@laptop:~$ ping -c 3 173.194.35.145
PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data.
64 bytes from 173.194.35.145: icmp_req=1 ttl=51 time=47.3 ms
--- 173.194.35.145 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 46.645/46.933/47.373/0.402 ms

Is this expected behaviour ?
Best regards,
Matjaž Berčič

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html