iptables owner match drops icmp for GIDs but not for UIDs

Question

I have a strange behaviour of iptables that I cannot explain or understand.

I have a user test which has its primary group test. I want to block any network access from this user.

Now, if I say

iptables -A OUTPUT -o eth0 -m owner --uid-owner test -j DROP

and I su test and then I get the following:

ping serverfault.com       # WORKS
nmap -sP serverfault.com   # fails
wget serverfault.com       # fails

However, if I flush the iptables again, and say instead:

iptables -A OUTPUT -o eth0 -m owner --gid-owner test -j DROP

(notice the difference: gid instead of uid) then I get the following

ping serverfault.com       # fails
nmap -sP serverfault.com   # fails
wget serverfault.com       # fails

So as you can see, the rule seems to match both times, but only when I block the primary group also ICMP is blocked. Is this a bug or does this make some sense that I am unaware of?

I mean I could simply block both and be happy, but I want to understand why they behave differently.

My iptables version is v1.4.4.

score 4 · Accepted Answer · answered Apr 30 '11 at 15:27

4

Generation of icmp requires raw access to a socket which in turn requires root access. Ping therefore runs suid, so the uid for the owner of the socket is root and not test.

answered Apr 30 '11 at 15:27

TimS

2,166
13
8

Ah! That actually makes a lot of sense, thank you. – bitmask Apr 30 '11 at 15:41

iptables owner match drops icmp for GIDs but not for UIDs

1 Answers1