Hello, Is it possible at all to block all users other than root from sending outbound ICMP packets on an interface? At the moment we have the following two rules in our IPtables config: iptables -A OUTPUT -o eth1 -m owner --uid-owner 0 -j ACCEPT iptables -A OUTPUT -o eth1 -j DROP But this still allows ICMP for some reason (but *does* block other TCP/UDP packets, which is what we want, as well as ICMP). Thanks.
Hello, ----- Mail original -----> De: "John Cenile" <jcenile1983 at gmail.com> > ?: "centos" <centos at centos.org> > Envoy?: Mercredi 24 F?vrier 2016 15:42:36 > Objet: [CentOS] IPtables block user from outbound ICMP> Is it possible at all to block all users other than root from sending > outbound ICMP packets on an interface? > > At the moment we have the following two rules in our IPtables config: > > iptables -A OUTPUT -o eth1 -m owner --uid-owner 0 -j ACCEPT > iptables -A OUTPUT -o eth1 -j DROP > > But this still allows ICMP for some reason (but *does* block other TCP/UDP > packets, which is what we want, as well as ICMP).According to the iptables documentation (http://ipset.netfilter.org/iptables.man.html), not specifying "-p" is equivalent to specifying "-p all", which matches with all protocols, icmp included. So these rules are good. BUT... I suppose /bin/ping has a suid bit set, no ? Sylvain. Pensez ENVIRONNEMENT : n'imprimer que si ncessaire
On 02/24/2016 06:42 AM, John Cenile wrote:> Is it possible at all to block all users other than root from sending > outbound ICMP packets on an interface?That is, more or less, the default. In order to send ICMP packets, an application must be root, or must have the CAP_NET_RAW capability (as root does). /usr/bin/ping and ping6 have that capability set, stored in the filesystem. Use "getcap /usr/bin/ping" to view it, or use "setcap -r" to remove them. If you don't grant that capability to any binaries, and don't give users sudo or other "root" access, they won't be able to send ICMP packets.
Am 24.02.2016 um 16:07 schrieb Sylvain CANOINE:> Hello, > > ----- Mail original ----- >> De: "John Cenile" <jcenile1983 at gmail.com> >> ?: "centos" <centos at centos.org> >> Envoy?: Mercredi 24 F?vrier 2016 15:42:36 >> Objet: [CentOS] IPtables block user from outbound ICMP > >> Is it possible at all to block all users other than root from sending >> outbound ICMP packets on an interface? >> >> At the moment we have the following two rules in our IPtables config: >> >> iptables -A OUTPUT -o eth1 -m owner --uid-owner 0 -j ACCEPT >> iptables -A OUTPUT -o eth1 -j DROP >> >> But this still allows ICMP for some reason (but *does* block other TCP/UDP >> packets, which is what we want, as well as ICMP). > According to the iptables documentation (http://ipset.netfilter.org/iptables.man.html), not specifying "-p" is equivalent to specifying "-p all", which matches with all protocols, icmp included. So these rules are good. BUT... I suppose /bin/ping has a suid bit set, no ? > > Sylvain. > Pensez ENVIRONNEMENT : n'imprimer que si ncessaireBlocking the complete ICMP protocol is stupid and should not be recommended. ICMP echo request and echo reply are just 2 types of a bigger set of necessary ICMP types. It is safe to block those 2 while that does not really serve a purpose. A system not replying on ICMP echo request does not hide it from others. Alexander
Am 24.02.2016 um 15:42 schrieb John Cenile:> Hello, > > Is it possible at all to block all users other than root from sending > outbound ICMP packets on an interface? > > At the moment we have the following two rules in our IPtables config: > > iptables -A OUTPUT -o eth1 -m owner --uid-owner 0 -j ACCEPT > iptables -A OUTPUT -o eth1 -j DROP > > But this still allows ICMP for some reason (but *does* block other TCP/UDP > packets, which is what we want, as well as ICMP). > > Thanks.What do you want to achieve by not allowing outbound ICMP traffic? Are you aware that ICMP has a larger set of different types, several of them required for a functional network. Alexander