Prevent network access with IPTables

StackedCrooked asked:

I try to block the user sandbox from accessing the network with this command:

$ iptables -A OUTPUT -m owner --uid-owner sandbox -j DROP

However, after that I’m still able to ping an external host:

$ sudo -u sandbox ping 206.190.36.45
PING 206.190.36.45 (206.190.36.45) 56(84) bytes of data.
64 bytes from 206.190.36.45: icmp_req=1 ttl=49 time=802 ms
64 bytes from 206.190.36.45: icmp_req=2 ttl=49 time=791 ms

What am I doing wrong?

Update

My configuration looks like this:

$ /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             owner UID match sandbox

Update

Apparently ping has setuid root set. I just had to remove it:

chmod u-s /bin/ping

My answer:


If ping is setuid root on your system, it is root which opens the socket from which ping sends its ICMP echo requests. Thus the rule will never match.

(Note that this is true on EL6, Debian squeeze, etc. More recent distributions have removed ping’s setuid bit and replaced it with a capability. In these cases, the rule might match.)


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.