Home / server / Questions / 484126
Accepted
StackedCrooked
Asked: 2013-03-03 12:18:03 +0800 CST

Prevent network access with IPTables

  • 772

I try to block the user sandbox from accessing the network with this command:

$ iptables -A OUTPUT -m owner --uid-owner sandbox -j DROP

However, after that I'm still able to ping an external host:

$ sudo -u sandbox ping 206.190.36.45
PING 206.190.36.45 (206.190.36.45) 56(84) bytes of data.
64 bytes from 206.190.36.45: icmp_req=1 ttl=49 time=802 ms
64 bytes from 206.190.36.45: icmp_req=2 ttl=49 time=791 ms

What am I doing wrong?

Update

My configuration looks like this:

$ /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             owner UID match sandbox

Update

Apparently ping has setuid root set. I just had to remove it:

chmod u-s /bin/ping
networking

2 Answers

  1. Best Answer

    If ping is setuid root on your system, it is root which opens the socket from which ping sends its ICMP echo requests. Thus the rule will never match.

    (Note that this is true on EL6, Debian squeeze, etc. More recent distributions have removed ping's setuid bit and replaced it with a capability. In these cases, the rule might match.)

    • 2

  2. Have you made sure that you have the nessesary iptable module loaded?

    Try

    modprobe ipt_owner

    on the console.

    • 1