Re: different firewall rules for different users
That sounds good.
I don't need to transparently proxy, because I have configured the dansguardian proxy into the
browser that the children use.
So a group for adults that allows port 80 and 443 would work.
I just need to block packets except 8080 to the proxy.
I guess a default of deny all and then allow --gid-owner $adults (all ports)
and another allow 8080 for all users.
I'm not sure of the iptables syntax though (I'm more used to pf)
thanks, Philip
Pascal Hambourg wrote:
> Hello,
>
> Philip a écrit :
>> Is there an easy way to set up different rules for different users of a desktop machine?
>> I have a small home network with different PCs for different purposes.
>> There is a general purpose Lenny desktop that the whole family uses.
>> It has a private IP address.
>> This can get to the Internet either through NAT on a FreeBSD firewall, or through a Dansguardian
>> proxy, currently running on a different Etch box. Eventually I plan to migrate dansguardian onto the
>> freebsd box.
>>
>> Is there an easy way that if I or another adult is logged in then we can get to the NAT box, but if
>> one of my (small) children are logged in then the only way out is through the proxy?
>
> iptables can match locally generated packets by the sender process user
> or group ID. See the 'owner' match.
>
> E.g. for HTTP traffic :
>
> iptables -t nat -A OUTPUT -p tcp --dport 80 \
> -m owner --gid-owner $children -j DNAT --to $proxy_address:$proxy_port
>
> Note that the proxy must work in transparent mode, and this may not work
> with programs that run SUID/SGID, as iptables sees only the effective
> ID. Also, HTTPS does not work with a transparent proxy.
>
>
Reply to: