IPtables Block User From Outbound ICMP

Home » CentOS » IPtables Block User From Outbound ICMP
CentOS 8 Comments

Hello,

Is it possible at all to block all users other than root from sending outbound ICMP packets on an interface?

At the moment we have the following two rules in our IPtables config:

iptables -A OUTPUT -o eth1 -m owner –uid-owner 0 -j ACCEPT
iptables -A OUTPUT -o eth1 -j DROP

But this still allows ICMP for some reason (but *does* block other TCP/UDP
packets, which is what we want, as well as ICMP).

Thanks.

8 thoughts on - IPtables Block User From Outbound ICMP

  • Hello,

    —– Mail original —–

    According to the iptables documentation (http://ipset.netfilter.org/iptables.man.html), not specifying “-p” is equivalent to specifying “-p all”, which matches with all protocols, icmp included. So these rules are good. BUT… I suppose /bin/ping has a suid bit set, no ?

    Sylvain. Pensez ENVIRONNEMENT : n’imprimer que si ncessaire

  • That is, more or less, the default. In order to send ICMP packets, an application must be root, or must have the CAP_NET_RAW capability (as root does). /usr/bin/ping and ping6 have that capability set, stored in the filesystem. Use “getcap /usr/bin/ping” to view it, or use “setcap
    -r” to remove them.

    If you don’t grant that capability to any binaries, and don’t give users sudo or other “root” access, they won’t be able to send ICMP packets.

  • Am 24.02.2016 um 16:07 schrieb Sylvain CANOINE:

    Blocking the complete ICMP protocol is stupid and should not be recommended.

    ICMP echo request and echo reply are just 2 types of a bigger set of necessary ICMP types. It is safe to block those 2 while that does not really serve a purpose. A system not replying on ICMP echo request does not hide it from others.

    Alexander

  • Am 24.02.2016 um 15:42 schrieb John Cenile:

    What do you want to achieve by not allowing outbound ICMP traffic?

    Are you aware that ICMP has a larger set of different types, several of them required for a functional network.

    Alexander

  • outbound ICMP packets on an interface?
    iptables -A OUTPUT -o eth1 -m owner –uid-owner 0 -j ACCEPT
    TCP/UDP
    equivalent to specifying “-p all”, which matches with all protocols, icmp included. So these rules are good. BUT… I suppose /bin/ping has a necessary ICMP types. It is safe to block those 2 while that does not really serve a purpose. A system not replying on ICMP echo request does not hide it from others.

    Indeed. Not replying ping is rather Windows-ish behavior (still standard Windows behavior out of box. They still must have rather low opinion about their own programmers I guess and still are scared of [in]famous “ping of death”).

    If one doesn’t trust local users to the extent one doesn’t allow them to send outbound pings, then one has rather large restriction imposing on users work to do IMHO. I do have some boxes like that, and on these boxes I indeed have rather restricted set of tools/commands accessible for users. In addition, users though can build or download stuff, they can not execute anything of their own. In other words, all places users can write to are mounted with “nosuid, nosgid, noexec” options, the last one is the one I mean here (do your own thinking why other two are also there). Once that is done, you can remove “others” read and execute bits from ping command (and other commands you don’t want the to be able to use). Sending ping in particular requires opening raw socket, which only root (and group wheel) can do, that’s why ping command has SGID set. But again, with that level of trust to local users, outbound ping is tiny small thing out of big list one has to do. I found this too tiresome to maintain this as a real host, for this reason when I need something like that (awfully restricted users, still having local access to the system), I just – hm, somebody hopefully will chime in how to do similar thing on Linux; I’m doing this on FreeBSD, and I just start separate jail, specifically configured for users logins and local access to the system (which is not a system, and which contains only tools I want to give users, the services of this same host run in different jails, mostly one service per jail). Hopefully, someone will tell how he/she does similar thing in CentOS.

    Just my $0.02.

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • Well if you really want to call it a problem… Blocking ICMP via a host based firewall remains pretty silly.

    Bear in mind that since it’s a file permission this will be ‘fixed’ on any update of ping. Not that ping gets many updates but there you go…

    I’m still curious as to why this was a requirement.

  • On all servers I used IPtables to block (DROP) all incoming ICMPs except:-

    type 0 state RELATED,ESTABLISHED
    type 3 state RELATED,ESTABLISHED
    type 8 state NEW,RELATED,ESTABLISHED
    type 11 state RELATED,ESTABLISHED

    All outgoing ICMPs are blocked except for:-

    type 0 state RELATED,ESTABLISHED
    type 8 state NEW,RELATED,ESTABLISHED

    Am I silly too ;-)