well root should *never* have internet access, as that implicitly creates a substantial security risk. I guess the simplest way to achieve what you are directly trying to do is to enforce the use of a local proxy, assuming you mean web access, not full internet access. if that's not an option then within a single machine you could use the owner module to only permit network connections by certain users.
iptables -A OUTPUT -p tcp -m owner ! --uid-owner root -j REJECT
reject all packets which are trying to leave the box not created by a process owned by root.
Last edited by acid_kewpie; 08-01-2007 at 03:09 AM.
|