尝试禁用用户的网络访问:
[root@notebook ~]# iptables -I OUTPUT -m owner --uid-owner tempuser -j DROP
[root@notebook ~]# ip6tables -I OUTPUT -m owner --uid-owner tempuser -j DROP
Could not open socket to kernel: Address family not supported by protocol
[root@notebook ~]#
[root@notebook ~]# iptables -I INPUT -m owner --uid-owner tempuser -j DROP
iptables: Invalid argument. Run `dmesg' for more information.
[root@notebook ~]# ip6tables -I INPUT -m owner --uid-owner tempuser -j DROP
Could not open socket to kernel: Address family not supported by protocol
[root@notebook ~]#
测试:
[root@notebook ~]# su - tempuser
[tempuser@notebook ~]$ ping google.com
ping: unknown host google.com
[tempuser@notebook ~]$
[tempuser@notebook ~]$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=4.80 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=4.07 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1057ms
rtt min/avg/max/mdev = 4.071/4.439/4.807/0.368 ms
[tempuser@notebook ~]$
[tempuser@notebook ~]$ exit
logout
[root@notebook ~]# ping google.com
PING google.com (216.58.209.174) 56(84) bytes of data.
64 bytes from bud02s21-in-f14.1e100.net (216.58.209.174): icmp_seq=1 ttl=55 time=5.05 ms
^C
--- google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 572ms
rtt min/avg/max/mdev = 5.059/5.059/5.059/0.000 ms
[root@notebook ~]#
问题:如何在 Linux 下禁用给定用户的网络访问?(输入/输出/IPv4/IPv6?)-为什么我仍然可以与用户 ping IPv4 地址?
答案1
在某些系统上,ping是一个 SUID 二进制文件,因为发送 ICMP 数据包需要 root 权限(在其他系统上,我相信这是通过功能处理的)。
[me@lory ~]$ ls -al /bin/ping
-rwsr-xr-x. 1 root root 40760 Sep 26 2013 /bin/ping
如果您使用的是前一种类型的系统,则发送这些 PING 数据包的不是 tempuser,而是 root。未完成 SUID 的 DNS 查找对于 tempuser ( unknown host google.com) 会失败,因此您可以确认您的阻止正在起作用。