Am 24.02.2016 um 16:07 schrieb Sylvain CANOINE:> Hello, > > ----- Mail original ----- >> De: "John Cenile" <jcenile1983 at gmail.com> >> ?: "centos" <centos at centos.org> >> Envoy?: Mercredi 24 F?vrier 2016 15:42:36 >> Objet: [CentOS] IPtables block user from outbound ICMP > >> Is it possible at all to block all users other than root from sending >> outbound ICMP packets on an interface? >> >> At the moment we have the following two rules in our IPtables config: >> >> iptables -A OUTPUT -o eth1 -m owner --uid-owner 0 -j ACCEPT >> iptables -A OUTPUT -o eth1 -j DROP >> >> But this still allows ICMP for some reason (but *does* block other TCP/UDP >> packets, which is what we want, as well as ICMP). > According to the iptables documentation (http://ipset.netfilter.org/iptables.man.html), not specifying "-p" is equivalent to specifying "-p all", which matches with all protocols, icmp included. So these rules are good. BUT... I suppose /bin/ping has a suid bit set, no ? > > Sylvain. > Pensez ENVIRONNEMENT : n'imprimer que si ncessaireBlocking the complete ICMP protocol is stupid and should not be recommended. ICMP echo request and echo reply are just 2 types of a bigger set of necessary ICMP types. It is safe to block those 2 while that does not really serve a purpose. A system not replying on ICMP echo request does not hide it from others. Alexander
On Wed, February 24, 2016 12:25 pm, Alexander Dalloz wrote:> Am 24.02.2016 um 16:07 schrieb Sylvain CANOINE: >> Hello, >> ----- Mail original ----- >>> De: "John Cenile" <jcenile1983 at gmail.com> >>> ??: "centos" <centos at centos.org> >>> Envoy??: Mercredi 24 F??vrier 2016 15:42:36 >>> Objet: [CentOS] IPtables block user from outbound ICMP >>> Is it possible at all to block all users other than root from sendingoutbound ICMP packets on an interface?>>> At the moment we have the following two rules in our IPtables config:iptables -A OUTPUT -o eth1 -m owner --uid-owner 0 -j ACCEPT>>> iptables -A OUTPUT -o eth1 -j DROP >>> But this still allows ICMP for some reason (but *does* block otherTCP/UDP>>> packets, which is what we want, as well as ICMP). >> According to the iptables documentation >> (http://ipset.netfilter.org/iptables.man.html), not specifying "-p" isequivalent to specifying "-p all", which matches with all protocols, icmp included. So these rules are good. BUT... I suppose /bin/ping has a>> suid bit set, no ? >> Sylvain. >> Pensez ENVIRONNEMENT : n'imprimer que si ncessaire > > Blocking the complete ICMP protocol is stupid and should not be > recommended. > > ICMP echo request and echo reply are just 2 types of a bigger set ofnecessary ICMP types. It is safe to block those 2 while that does not really serve a purpose. A system not replying on ICMP echo request does not hide it from others. Indeed. Not replying ping is rather Windows-ish behavior (still standard Windows behavior out of box. They still must have rather low opinion about their own programmers I guess and still are scared of [in]famous "ping of death"). If one doesn't trust local users to the extent one doesn't allow them to send outbound pings, then one has rather large restriction imposing on users work to do IMHO. I do have some boxes like that, and on these boxes I indeed have rather restricted set of tools/commands accessible for users. In addition, users though can build or download stuff, they can not execute anything of their own. In other words, all places users can write to are mounted with "nosuid, nosgid, noexec" options, the last one is the one I mean here (do your own thinking why other two are also there). Once that is done, you can remove "others" read and execute bits from ping command (and other commands you don't want the to be able to use). Sending ping in particular requires opening raw socket, which only root (and group wheel) can do, that's why ping command has SGID set. But again, with that level of trust to local users, outbound ping is tiny small thing out of big list one has to do. I found this too tiresome to maintain this as a real host, for this reason when I need something like that (awfully restricted users, still having local access to the system), I just - hm, somebody hopefully will chime in how to do similar thing on Linux; I'm doing this on FreeBSD, and I just start separate jail, specifically configured for users logins and local access to the system (which is not a system, and which contains only tools I want to give users, the services of this same host run in different jails, mostly one service per jail). Hopefully, someone will tell how he/she does similar thing in CentOS. Just my $0.02. Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Thanks all, that seemed to be the problem (the suid bit). :) On 25 February 2016 at 06:03, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote:> On Wed, February 24, 2016 12:25 pm, Alexander Dalloz wrote: > > Am 24.02.2016 um 16:07 schrieb Sylvain CANOINE: > >> Hello, > >> ----- Mail original ----- > >>> De: "John Cenile" <jcenile1983 at gmail.com> > >>> ??: "centos" <centos at centos.org> > >>> Envoy??: Mercredi 24 F??vrier 2016 15:42:36 > >>> Objet: [CentOS] IPtables block user from outbound ICMP > >>> Is it possible at all to block all users other than root from sending > outbound ICMP packets on an interface? > >>> At the moment we have the following two rules in our IPtables config: > iptables -A OUTPUT -o eth1 -m owner --uid-owner 0 -j ACCEPT > >>> iptables -A OUTPUT -o eth1 -j DROP > >>> But this still allows ICMP for some reason (but *does* block other > TCP/UDP > >>> packets, which is what we want, as well as ICMP). > >> According to the iptables documentation > >> (http://ipset.netfilter.org/iptables.man.html), not specifying "-p" is > equivalent to specifying "-p all", which matches with all protocols, > icmp included. So these rules are good. BUT... I suppose /bin/ping has > a > >> suid bit set, no ? > >> Sylvain. > >> Pensez ENVIRONNEMENT : n'imprimer que si ncessaire > > > > Blocking the complete ICMP protocol is stupid and should not be > > recommended. > > > > ICMP echo request and echo reply are just 2 types of a bigger set of > necessary ICMP types. It is safe to block those 2 while that does not > really serve a purpose. A system not replying on ICMP echo request does > not hide it from others. > > Indeed. Not replying ping is rather Windows-ish behavior (still standard > Windows behavior out of box. They still must have rather low opinion about > their own programmers I guess and still are scared of [in]famous "ping of > death"). > > If one doesn't trust local users to the extent one doesn't allow them to > send outbound pings, then one has rather large restriction imposing on > users work to do IMHO. I do have some boxes like that, and on these boxes > I indeed have rather restricted set of tools/commands accessible for > users. In addition, users though can build or download stuff, they can not > execute anything of their own. In other words, all places users can write > to are mounted with "nosuid, nosgid, noexec" options, the last one is the > one I mean here (do your own thinking why other two are also there). Once > that is done, you can remove "others" read and execute bits from ping > command (and other commands you don't want the to be able to use). Sending > ping in particular requires opening raw socket, which only root (and group > wheel) can do, that's why ping command has SGID set. But again, with that > level of trust to local users, outbound ping is tiny small thing out of > big list one has to do. I found this too tiresome to maintain this as a > real host, for this reason when I need something like that (awfully > restricted users, still having local access to the system), I just - hm, > somebody hopefully will chime in how to do similar thing on Linux; I'm > doing this on FreeBSD, and I just start separate jail, specifically > configured for users logins and local access to the system (which is not a > system, and which contains only tools I want to give users, the services > of this same host run in different jails, mostly one service per jail). > Hopefully, someone will tell how he/she does similar thing in CentOS. > > Just my $0.02. > > Valeri > > ++++++++++++++++++++++++++++++++++++++++ > Valeri Galtsev > Sr System Administrator > Department of Astronomy and Astrophysics > Kavli Institute for Cosmological Physics > University of Chicago > Phone: 773-702-4247 > ++++++++++++++++++++++++++++++++++++++++ > > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >