Re: different firewall rules for different users
Hello,
Philip a écrit :
>
> Is there an easy way to set up different rules for different users of a desktop machine?
> I have a small home network with different PCs for different purposes.
> There is a general purpose Lenny desktop that the whole family uses.
> It has a private IP address.
> This can get to the Internet either through NAT on a FreeBSD firewall, or through a Dansguardian
> proxy, currently running on a different Etch box. Eventually I plan to migrate dansguardian onto the
> freebsd box.
>
> Is there an easy way that if I or another adult is logged in then we can get to the NAT box, but if
> one of my (small) children are logged in then the only way out is through the proxy?
iptables can match locally generated packets by the sender process user
or group ID. See the 'owner' match.
E.g. for HTTP traffic :
iptables -t nat -A OUTPUT -p tcp --dport 80 \
-m owner --gid-owner $children -j DNAT --to $proxy_address:$proxy_port
Note that the proxy must work in transparent mode, and this may not work
with programs that run SUID/SGID, as iptables sees only the effective
ID. Also, HTTPS does not work with a transparent proxy.
Reply to: