Traceroute는 모든 사용자에게 작동하지만 루트로 실행하면 모든 것이 " * * * "입니다.
# As root user
[root]# /usr/bin/traceroute 1.1.1.1 -I
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 one.one.one.one (1.1.1.1) 2.436 ms 2.433 ms 2.417 ms
# Switch to non-root user
[root]# su sam
# As non-root user
[sam]$ /usr/bin/traceroute 1.1.1.1 -I
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
1 169.254.100.0 (169.254.100.0) 1.291 ms 1.250 ms 1.243 ms
2 13.106.232.74 (13.106.232.74) 3.202 ms 3.188 ms 3.420 ms
3 172.70.160.4 (172.70.160.4) 6.058 ms 6.053 ms 6.035 ms
4 one.one.one.one (1.1.1.1) 2.437 ms 2.434 ms 2.431 ms
[sam]$
Environment:
RockyLinux 9.2 (Blue Onyx)
kernel 5.14.0-284.18.1.el9_2.x86_64
traceroute-2.1.0-16.el9.src.rpm
Azure VM (Official Rocky image - clean install)
방화벽이나 권한이 있는 루트가 아닌 사용자가 추적 경로를 수행할 수 없는 것을 본 적이 있지만 오늘은 그 반대의 일이 일어났습니다!
다음은 아래 의견을 바탕으로 한 몇 가지 설문조사입니다.
- IP테이블:
[root]# iptables-save -c
# Generated by iptables-save v1.8.8 (nf_tables) on Sun Oct 8 13:33:21 2023
*security
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8239:955658]
[0:0] -A OUTPUT -d 168.63.129.16/32 -p tcp -m tcp --dport 53 -j ACCEPT
[6259:1742375] -A OUTPUT -d 168.63.129.16/32 -p tcp -m owner --uid-owner 0 -j ACCEPT
[0:0] -A OUTPUT -d 168.63.129.16/32 -p tcp -m conntrack --ctstate INVALID,NEW -j DROP
COMMIT
# Completed on Sun Oct 8 13:33:21 2023
# Generated by iptables-save v1.8.8 (nf_tables) on Sun Oct 8 13:33:21 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Sun Oct 8 13:33:21 2023
- 모자를 받으세요
# As root user
[root]# /sbin/getcap $(readlink -e /usr/bin/traceroute)
/usr/bin/traceroute cap_net_admin=ep
# Switch to non-root user
[root]# su sam
# As non-root user
[sam]$ /sbin/getcap $(readlink -e /usr/bin/traceroute)
/usr/bin/traceroute cap_net_admin=ep
[sam]$
- 지적재산권 규칙
# ip rule
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
- NFT 규칙 세트
# nft list ruleset
table ip security {
chain OUTPUT {
type filter hook output priority 150; policy accept;
ip daddr 168.63.129.16 tcp dport 53 counter packets 0 bytes 0 accept
meta l4proto tcp ip daddr 168.63.129.16 skuid 0 counter packets 6159 bytes 1716902 accept
meta l4proto tcp ip daddr 168.63.129.16 ct state invalid,new counter packets 0 bytes 0 drop
}
}
table ip filter {
}
- SELinux
# sestatus
SELinux status: disabled