Hi, Le lundi 22 octobre 2012 à 16:38 +0200, matjaž a écrit : > Hi all, > Is it possible that owner matching does not work correctly ? > I tried blocking internet access to one user, but found out he can still > use ping. > Pleas see below : (I removed some lines from ping output for clarity - > also there are no other rules in iptables) > > matjaz@laptop:~$ iptables --version > iptables v1.4.16.3 > matjaz@laptop:~$ sudo iptables -F -t nat ; sudo iptables -F > matjaz@laptop:~$ sudo -u nonet ping -c 3 173.194.35.145 > PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data. > 64 bytes from 173.194.35.145: icmp_req=1 ttl=51 time=46.9 ms > # ok, works > matjaz@laptop:~$ id nonet > uid=1002(nonet) gid=1003(nonet) groups=1003(nonet) > matjaz@laptop:~$ sudo iptables -A OUTPUT -p icmp -m owner --uid-owner > 1002 -j REJECT > matjaz@laptop:~$ sudo -u nonet ping -c 3 173.194.35.145 > PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data. > 64 bytes from 173.194.35.145: icmp_req=1 ttl=51 time=46.7 ms > # not ok, still works > matjaz@laptop:~$ sudo iptables -A OUTPUT -p icmp -j REJECT > matjaz@laptop:~$ sudo -u nonet ping -c 3 173.194.35.145 > PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data. > ping: sendmsg: Operation not permitted There is one command missing in your list of commands ;) $ ls -l $(which ping) -rwsr-xr-x 1 root root 34780 oct. 3 00:26 /bin/ping ping is setuid as it sends low level packet so the id seen by system is root. BR, > My machine : > matjaz@laptop:~$ cat /etc/issue > Ubuntu 12.04.1 LTS \n \l > matjaz@laptop:~$ uname -a > Linux laptop 3.2.0-32-generic #51-Ubuntu SMP Wed Sep 26 21:33:09 UTC > 2012 x86_64 x86_64 x86_64 GNU/Linux > > I installed the latest version of iptables (this didn't work even with > the ubuntu supplied version) from source and rebooted before testing. I > didn't uninstall the previous version before installation. > > Also : the -match --uid-owner seems to work on other protocols. > > Oddly enough, using group id instead seems to work : > matjaz@laptop:~$ sudo -u nonet ping -c 3 173.194.35.145 > PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data. > 64 bytes from 173.194.35.145: icmp_req=1 ttl=51 time=47.6 ms > --- 173.194.35.145 ping statistics --- > 3 packets transmitted, 3 received, 0% packet loss, time 2002ms > rtt min/avg/max/mdev = 46.284/46.994/47.659/0.615 ms > matjaz@laptop:~$ sudo iptables -A OUTPUT -p icmp -m owner --gid-owner > 1003 -j REJECT > matjaz@laptop:~$ sudo -u nonet ping -c 3 173.194.35.145 > PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data. > From 192.168.2.151 icmp_seq=1 Destination Port Unreachable > --- 173.194.35.145 ping statistics --- > 0 packets transmitted, 0 received, +3 errors > matjaz@laptop:~$ ping -c 3 173.194.35.145 > PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data. > 64 bytes from 173.194.35.145: icmp_req=1 ttl=51 time=47.3 ms > --- 173.194.35.145 ping statistics --- > 3 packets transmitted, 3 received, 0% packet loss, time 2003ms > rtt min/avg/max/mdev = 46.645/46.933/47.373/0.402 ms > > Is this expected behaviour ? > Best regards, > Matjaž Berčič > > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
