Prevent network access with IPTables

StackedCrooked asked:

I try to block the user sandbox from accessing the network with this command:

$ iptables -A OUTPUT -m owner --uid-owner sandbox -j DROP

However, after that I’m still able to ping an external host:

$ sudo -u sandbox ping
PING ( 56(84) bytes of data.
64 bytes from icmp_req=1 ttl=49 time=802 ms
64 bytes from icmp_req=2 ttl=49 time=791 ms

What am I doing wrong?


My configuration looks like this:

$ /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             owner UID match sandbox


Apparently ping has setuid root set. I just had to remove it:

chmod u-s /bin/ping

My answer:

If ping is setuid root on your system, it is root which opens the socket from which ping sends its ICMP echo requests. Thus the rule will never match.

(Note that this is true on EL6, Debian squeeze, etc. More recent distributions have removed ping’s setuid bit and replaced it with a capability. In these cases, the rule might match.)

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.