LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-25-2004, 04:24 PM   #1
jimk
LQ Newbie
 
Registered: May 2004
Location: Tennessee, USA
Posts: 19

Rep: Reputation: 0
How can I block net access for 1 user?


I would like to block internet access on my son's user account.

Our family shares one computer running Suse 9.1 with DSL internet access through a router. There is no other networking. Everybody has their own sign-on and password. I would like my son to be able to use the computer without supervision, and the only way I'll feel safe doing so is if he can't get on the Internet. Is there an easy way to do this?

I rarely use command prompt, so I would appreciate some detail in any replies involving commands Thanks.
 
Old 11-25-2004, 04:58 PM   #2
hostprotect
Member
 
Registered: Nov 2004
Posts: 56

Rep: Reputation: 15
http://freshmeat.net/projects/censornet/
 
Old 11-25-2004, 05:11 PM   #3
jimk
LQ Newbie
 
Registered: May 2004
Location: Tennessee, USA
Posts: 19

Original Poster
Rep: Reputation: 0
censornet

Thanks. I checked the link, and apparently censornet would require me to go out and buy another computer:

"CensorNet is a Debian-based Linux distribution in its own right and must be installed on a *dedicated* machine with a minimum of two Ethernet adapters."

I was hoping for a simpler solution.
 
Old 11-25-2004, 05:42 PM   #4
capybara
LQ Newbie
 
Registered: May 2004
Location: 20 min to tj
Distribution: debian
Posts: 9

Rep: Reputation: 0
for every browser, create a group "newgroup."
addusrs to it, everybody except your son.
"other" has no right to execute these browsers.
members of "newgroup" has the right.
#chmod (for ex.) 776 mozilla
 
Old 11-25-2004, 05:59 PM   #5
jimk
LQ Newbie
 
Registered: May 2004
Location: Tennessee, USA
Posts: 19

Original Poster
Rep: Reputation: 0
Thanks, capybara. Sounds great. The only thing is he won't be able to use konqueror, which is also a file manager. But I think I can come up with something else for that.
 
Old 11-25-2004, 11:40 PM   #6
DaHammer
Member
 
Registered: Oct 2003
Location: Planet Earth
Distribution: Slackware, LFS
Posts: 561

Rep: Reputation: 30
That still wouldn't prevent him from using other programs like Xchat, gaim, & etc. Since you only have the single PC and since everyone has to logon as themselves to use, you could write a shell script to disable the network card, or modem whatever the case may be, when he logs on and to bring it up for everyone else. Course that will require you know your way around linux pretty well.
 
Old 11-26-2004, 12:03 AM   #7
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
You can also use the iptables userid match and block all outgoing traffic initiated by that user. General syntax for userid blocking is:

iptables -I OUTPUT -o <external_interface> -m owner --uid-owner <users_id> -j REJECT

Note that certain types of traffic that are initiated by suid programs will be exempt (like ping).
 
Old 11-26-2004, 02:21 AM   #8
jimk
LQ Newbie
 
Registered: May 2004
Location: Tennessee, USA
Posts: 19

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by Capt_Caveman
You can also use the iptables userid match and block all outgoing traffic initiated by that user. General syntax for userid blocking is:

iptables -I OUTPUT -o <external_interface> -m owner --uid-owner <users_id> -j REJECT
Thanks, Capt.! A quick newbie question: Would <external_interface> be eth0?
 
Old 11-26-2004, 02:36 AM   #9
redjokerx
Member
 
Registered: Aug 2004
Location: San Diego
Distribution: Slackware
Posts: 303

Rep: Reputation: 31
yeah
 
Old 11-26-2004, 09:26 AM   #10
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
Originally posted by jimk
Thanks, Capt.! A quick newbie question: Would <external_interface> be eth0?
Depends. Normally yes, but on some systems this can be eth1 or a ppp interface. Using the ifconfig command should show you a list of interfaces that are currently up. Whichever IP address corresponds to your internet connection will be the proper external interface
 
Old 11-26-2004, 11:43 AM   #11
jimk
LQ Newbie
 
Registered: May 2004
Location: Tennessee, USA
Posts: 19

Original Poster
Rep: Reputation: 0
How can I block net access.... Solved

Capt_Caveman's iptables command was just what I was looking for and it worked perfectly. Thanks to everybody for your help.

--Jim
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
block internal user to access external proxy server ckamheng Linux - Security 7 09-09-2005 03:37 AM
Disable net access for one user Dawgmatix Linux - Networking 5 02-05-2005 10:25 AM
Apache for local dev - block access from net? phlyersphan Linux - Software 1 07-05-2004 04:14 PM
Block RIAA on Kazza NEt kazykid22 Linux - Software 2 09-21-2003 01:14 PM
block local user to access a site xen_chris Linux - Newbie 3 04-15-2003 09:55 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:11 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration