From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Leblond Subject: Re: Possible bug in iptables : -m --uid-owner not working with ping Date: Mon, 22 Oct 2012 16:44:40 +0200 Message-ID: <1350917080.3221.1.camel@tourtet> References: <50855A6B.1070000@lavabit.com> Mime-Version: 1.0 Content-Transfer-Encoding: QUOTED-PRINTABLE Return-path: In-Reply-To: <50855A6B.1070000@lavabit.com> Sender: netfilter-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="utf-8" To: =?UTF-8?Q?matja=C5=BE?= Cc: netfilter@vger.kernel.org Hi, Le lundi 22 octobre 2012 =C3=A0 16:38 +0200, matja=C5=BE a =C3=A9crit : > Hi all, > Is it possible that owner matching does not work correctly ? > I tried blocking internet access to one user, but found out he can st= ill=20 > use ping. > Pleas see below : (I removed some lines from ping output for clarity = -=20 > also there are no other rules in iptables) >=20 > matjaz@laptop:~$ iptables --version > iptables v1.4.16.3 > matjaz@laptop:~$ sudo iptables -F -t nat ; sudo iptables -F > matjaz@laptop:~$ sudo -u nonet ping -c 3 173.194.35.145 > PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data. > 64 bytes from 173.194.35.145: icmp_req=3D1 ttl=3D51 time=3D46.9 ms > # ok, works > matjaz@laptop:~$ id nonet > uid=3D1002(nonet) gid=3D1003(nonet) groups=3D1003(nonet) > matjaz@laptop:~$ sudo iptables -A OUTPUT -p icmp -m owner --uid-owner= =20 > 1002 -j REJECT > matjaz@laptop:~$ sudo -u nonet ping -c 3 173.194.35.145 > PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data. > 64 bytes from 173.194.35.145: icmp_req=3D1 ttl=3D51 time=3D46.7 ms > # not ok, still works > matjaz@laptop:~$ sudo iptables -A OUTPUT -p icmp -j REJECT > matjaz@laptop:~$ sudo -u nonet ping -c 3 173.194.35.145 > PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data. > ping: sendmsg: Operation not permitted There is one command missing in your list of commands ;) $ ls -l $(which ping) -rwsr-xr-x 1 root root 34780 oct. 3 00:26 /bin/ping ping is setuid as it sends low level packet so the id seen by system is root. BR, > My machine : > matjaz@laptop:~$ cat /etc/issue > Ubuntu 12.04.1 LTS \n \l > matjaz@laptop:~$ uname -a > Linux laptop 3.2.0-32-generic #51-Ubuntu SMP Wed Sep 26 21:33:09 UTC=20 > 2012 x86_64 x86_64 x86_64 GNU/Linux >=20 > I installed the latest version of iptables (this didn't work even wit= h=20 > the ubuntu supplied version) from source and rebooted before testing.= I=20 > didn't uninstall the previous version before installation. >=20 > Also : the -match --uid-owner seems to work on other protocols. >=20 > Oddly enough, using group id instead seems to work : > matjaz@laptop:~$ sudo -u nonet ping -c 3 173.194.35.145 > PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data. > 64 bytes from 173.194.35.145: icmp_req=3D1 ttl=3D51 time=3D47.6 ms > --- 173.194.35.145 ping statistics --- > 3 packets transmitted, 3 received, 0% packet loss, time 2002ms > rtt min/avg/max/mdev =3D 46.284/46.994/47.659/0.615 ms > matjaz@laptop:~$ sudo iptables -A OUTPUT -p icmp -m owner --gid-owner= =20 > 1003 -j REJECT > matjaz@laptop:~$ sudo -u nonet ping -c 3 173.194.35.145 > PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data. > From 192.168.2.151 icmp_seq=3D1 Destination Port Unreachable > --- 173.194.35.145 ping statistics --- > 0 packets transmitted, 0 received, +3 errors > matjaz@laptop:~$ ping -c 3 173.194.35.145 > PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data. > 64 bytes from 173.194.35.145: icmp_req=3D1 ttl=3D51 time=3D47.3 ms > --- 173.194.35.145 ping statistics --- > 3 packets transmitted, 3 received, 0% packet loss, time 2003ms > rtt min/avg/max/mdev =3D 46.645/46.933/47.373/0.402 ms >=20 > Is this expected behaviour ? > Best regards, > Matja=C5=BE Ber=C4=8Di=C4=8D >=20 >=20 > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" = in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html