Blocking a certain user from the internet
On linux how do I block any user from accessing the internet with any application, and yet allow others to access without hinderance?
Thanks! |
Is this a user on his or her own machine or another user on the same machine?
If it is on the same linux machine you could add this to the iptables rules to reject DNS requests: Code:
/sbin/iptables -A OUTPUT -p tcp --dport 53 -m owner --uid-owner 503 -j REJECT Normally web access is controlled by using a proxy server. An easy thing to do if you have small children is to configure your NAT router to serve supply an openDNS nameserver via dhcp. You can than opt for filtering in the setup page of the openDNS service. |
I tried to block a "testuser" on my laptop.
Code:
su - Sorry I didn't test this out before posting, but that required me to log off. I even tried using three rules matching tcp, udp and icmp explicitly. They didn't work either. From iptables -L OUTPUT: Code:
DROP tcp -- anywhere anywhere OWNER UID match testuser |
iptables -A OUTPUT -m owner --uid-owner 1001 -j DROP
... you probably need to put it ahead of the other output rules. If you have default drop, then you may want to write the rule to say: iptables -A OUTPUT -m owner --uid-owner !1001 -j ACCEPT The exact situation is important. http://iptables-tutorial.frozentux.n...tml#OWNERMATCH If the user is on a network where you control the gateway... Generally, if you have a problem with a user, you need to go talk to the user. |
You are right. I inserted the rule after the first one in my rules and "testuser" couldn't access the internet. My example was too simple because it eliminates LAN access as well.
-- Code:
iptables -I OUTPUT 2 -m owner --uid-owner 1001 ! --dest 192.168.1.0/255.255.255.128 -j REJECT |
It remains now to hear back from The_Nerd ... how about it? How did you get on?
|
All times are GMT -5. The time now is 09:58 AM. |