ArchLUG Kwiki - www.archlug.org

Download the RSS XML Feed for this site

Download the RSS XML Feed for this site

Subscribe to this channel with Amphetadesk

Subscribe to this channel with RadioUserland

Add to Google

LimitingNetworkAccessByUser

Limiting Network Access by User

I want to limit a user's activities (i.e. children or students) to be able to login and only use the local applications (OpenOffice.org, calculator, so on...). I want to block all access to exterior data, specifically, Email and Internet for these users, but not for the adults or administrators.

Using iptables

Using the 'iptables' features of the Linux kernel is what I think you're looking for.

The primary problem you have to overcome in achieving your goal is that the network device is a shared resource that is part of the computer itself -- like the CPU or the PCI bus. It's not something anyone "owns", like a file, and so doesn't really have "access controls" the way that files do, in terms of permissions.

But the way you control your network interface is primarily in relation to what connections you allow, not "who" owns the data flowing through the connection or who initiated the connection. However, there are just such options on the 'iptables' command.

I'll assume that any inbound connections have their access controlled by whatever the server is that has put up a listener -- i.e. apache, ssh, etc. all have their own authentication/access controls, so you'll have to administer those servers to whatever your policies are for unsolicited inbound connection attempts.

For outbound connections, you could require the users to use a proxy server, and then apply your policy rules to the proxy configuration. But that only works if they use the proxy server, and proxies are only readily available for HTTP (e.g. squid). They do nothing for proxying FTP, SSH, irc, and any other of a number of protocols you might want to limit access as well. Nor for HTTP on non-standard ports.

But, as I said, iptables may be the cure for what ails you. I've adapted the below how-to from http://www.linuxjournal.com/article.php?sid=6091

So, here's my stab at preventing user 'joe' from using the network at all 

iptables -I OUTPUT ! -d localhost -m owner --uid-owner joe -j DROP

Let's dissect that command line one field at a time:

-I OUTPUT
Tells iptables we want to insert a rule at the top of the chain OUTPUT. Since owner matches apply only to packets originating locally, and since outbound traffic is handled in the OUTPUT chain, this is the only chain in which you can use owner matches.
! -d localhost
Tells iptables to match packets not destined for the localhost (i.e., the loopback interface 127.0.0.1). i.e. going somewhere else.
-m owner
Tells iptables to load the owner match extension.
--uid-owner joe
Tells iptables to match only packets created by processes owned by joe. i.e. whatever client application joe is attempting to use.
-j DROP
Tells iptables to drop packets that meet all match expressions in this line.

In summary, this rule tells the kernel (via iptables) to drop packets sent by one of joe's processes going anywhere other than the local machine.

I hope that helps. You'll have to figure out how you want to manage this if you want to manage multiple users and/or enable/disable access by policy. If there are multiple users, and the same policy applies to all of them, create a new user group, and add the users that will be denied/allowed access to the internet. Then insert a rule that drops packets for any --gid-owner that matches/does not match.

If you have multiple rules, you'll have to remember which one you want to remove or insert, if order is important. Use the 'iptables -L OUTPUT' to see the current ruleset for your OUTPUT chain.

--Mike

Valid XHTML 1.0! Valid CSS!
InterTran (www.tranexp.com)
InterTran (www.tranexp.com)

Please MOVE AND HOLD your MOUSE CURSOR over any WORD in the translated web page in order to see a pop-up window with ALTERNATIVE TRANSLATIONS. Translations provided by: www.tranexp.com