LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Blocking a certain user from the internet (https://www.linuxquestions.org/questions/linux-networking-3/blocking-a-certain-user-from-the-internet-627940/)

The_Nerd 03-13-2008 11:38 PM

Blocking a certain user from the internet
 
On linux how do I block any user from accessing the internet with any application, and yet allow others to access without hinderance?

Thanks!

jschiwal 03-14-2008 01:28 AM

Is this a user on his or her own machine or another user on the same machine?


If it is on the same linux machine you could add this to the iptables rules to reject DNS requests:
Code:

/sbin/iptables -A OUTPUT -p tcp --dport 53 -m owner --uid-owner 503 -j REJECT
/sbin/iptables -A OUTPUT -p udp --dport 53 -m owner --uid-owner 503 -j REJECT

I got this from this webpage: http://linux.deadgod.net/2007/01/24/...per-user_basis
Normally web access is controlled by using a proxy server.
An easy thing to do if you have small children is to configure your NAT router to serve supply an openDNS nameserver via dhcp. You can than opt for filtering in the setup page of the openDNS service.

jschiwal 03-14-2008 02:28 AM

I tried to block a "testuser" on my laptop.
Code:

su -

modprobe ipt_owner
iptables -A OUTPUT -m owner --uid-owner 1001 -j DROP

It didn't work. Maybe someone more adept at netfilter rules can point out my mistake.
Sorry I didn't test this out before posting, but that required me to log off.

I even tried using three rules matching tcp, udp and icmp explicitly. They didn't work either.

From iptables -L OUTPUT:
Code:

DROP      tcp  --  anywhere            anywhere            OWNER UID match testuser
DROP      udp  --  anywhere            anywhere            OWNER UID match testuser
DROP      icmp --  anywhere            anywhere            OWNER UID match testuser


Simon Bridge 03-14-2008 08:31 AM

iptables -A OUTPUT -m owner --uid-owner 1001 -j DROP
... you probably need to put it ahead of the other output rules. If you have default drop, then you may want to write the rule to say:

iptables -A OUTPUT -m owner --uid-owner !1001 -j ACCEPT

The exact situation is important.
http://iptables-tutorial.frozentux.n...tml#OWNERMATCH

If the user is on a network where you control the gateway...

Generally, if you have a problem with a user, you need to go talk to the user.

jschiwal 03-14-2008 09:06 AM

You are right. I inserted the rule after the first one in my rules and "testuser" couldn't access the internet. My example was too simple because it eliminates LAN access as well.
--

Code:

iptables -I OUTPUT 2 -m owner --uid-owner 1001 ! --dest 192.168.1.0/255.255.255.128 -j REJECT
I tried this as root in screen 1 and logged in to screen 2 as testuser (uid=1001). Then testuser was able to use samba but not firefox. Thanks for the pointer.

Simon Bridge 03-14-2008 10:39 PM

It remains now to hear back from The_Nerd ... how about it? How did you get on?


All times are GMT -5. The time now is 09:58 AM.