Re: Restricting Internet Access
On Sun, 18 Oct 2009 18:41:09 +0200
David Baron <d_baron@012.net.il> wrote:
> As undemocratic at it seems, sometimes it is necessary from some
> logins not to be able to access internet browsing and such.
>
> How might one set this up?
One method might be to force all traffic through a proxy, and require
authentication.
A more robust solution would be to take advantage of the iptables
ability to match a packet's 'user'. E.g., take a look at the sample
'rules' file included with shorewall:
# USER/GROUP This column may only be non-empty if the SOURCE is
# the firewall itself.
#
# The column may contain:
#
# [!][<user name or number>][:<group name or number>][+<program name>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
# the effective <user> and/or <group> specified (or is
# NOT running under that id if "!" is given).
#
# Examples:
#
# joe #program must be run by joe
# :kids #program must be run by a member of
# #the 'kids' group
# !:kids #program must not be run by a member
# #of the 'kids' group
# +upnpd #program named upnpd (This feature was
# #removed from Netfilter in kernel
# #version 2.6.14).
Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator
Reply to: