Re: different firewall rules for different users

To: debian-firewall@lists.debian.org
Subject: Re: different firewall rules for different users
From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
Date: Wed, 03 Mar 2010 14:55:22 +0100
Message-id: <[🔎] 4B8E6A4A.2040309@plouf.fr.eu.org>
In-reply-to: <[🔎] 4B8E6448.90501@christiantena.net>
References: <[🔎] 4B8E4955.60009@christiantena.net> <[🔎] 4B8E62BD.6060809@plouf.fr.eu.org> <[🔎] 4B8E6448.90501@christiantena.net>

Philip a écrit :
> That sounds good.
> I don't need to transparently proxy, because I have configured the dansguardian proxy into the
> browser that the children use.
> So a group for adults that allows port 80 and 443 would work.
> I just need to block packets except 8080 to the proxy.
> 
> I guess a default of deny all and then allow --gid-owner $adults (all ports)
> and another allow 8080 for all users.

I guess you would need to allow everything from root and other system
users too, not only adults, so it would be easier to allow everything
from all but children and allow only TCP 8080 to proxy from children
(assuming the proxy is defined by IP address or by name resolved in
/etc/hosts, not by DNS, otherwise you must allow DNS out too).

iptables -A OUTPUT -m owner ! --gid-owner $children -j ACCEPT
iptables -A OUTPUT -m owner --gid-owner $children \
   -d $proxy_address -p tcp --dport 8080 -j ACCEPT
iptables -A OUTPUT -m owner --gid-owner $children -j DROP

Reply to:

References:
- different firewall rules for different users
  - From: Philip <subs@christiantena.net>
- Re: different firewall rules for different users
  - From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
- Re: different firewall rules for different users
  - From: Philip <subs@christiantena.net>

Prev by Date: Re: different firewall rules for different users
Next by Date: tcp/ip traffic shaping in Debian
Previous by thread: Re: different firewall rules for different users
Next by thread: RE: different firewall rules for different users
Index(es):
- Date
- Thread