Let's say there are two users on the LAN, A and B. How do I restrict user A from internet access using iptables rules and saving the rules so that after reboot, they are still effective. Suppose also that I want to grant that user access at some point; how do I enable it again? I am using Ubuntu Linux 10.04. It would be nice if anybody show me how to do it from the command line, as I often login to the machine using a local ssh login.
Asked
Active
Viewed 1.3k times
13
3 Answers
18
I assume that users A and B are using the same Linux machine(s) where you are the administrator. (It's not completely clear from your question. If A and B are have their own computers which they are administrators on, it's a completely different problem.)
The following command will prevent the user with uid 1234 from sending packets on the interface eth0:
iptables -t mangle -A OUTPUT -o eth0 -m owner --uid-owner 1234 -j DROP
ip6tables -t mangle -A OUTPUT -o eth0 -m owner --uid-owner 1234 -j DROP
I recommend reading the Ubuntu iptables guide to get basic familiarity with the tool (and refer to the man page for advanced things like the mangle table).
The user will still be able to run ping (because it's setuid root), but not anything else. The user will still be able to connect to a local proxy if that proxy was started by another user.
To remove this rule, add -D to the command above.
To make the rule permanent, add it to /etc/network/if-up.d/my-user-restrictions (make that an executable script beginning with #!/bin/sh). Or use iptables-save (see the Ubuntu iptables guide for more information).
Scrooge McDuck
- 1,084
Gilles 'SO- stop being evil'
- 829,060
-
Thank you very much. And yes your assumptions are true. Based on your answer and the mentioned ubuntu guide, is that the right way of doing things if I wanted to also grant the restricted user ssh access (sometimes I want to login using his account over ssh): iptables -t mangle -A OUTPUT -o eth0 -m owner --uid-owner 1234 -p tcp --dport ssh -j ACCEPT iptables -t mangle -A OUTPUT -o eth0 -m owner --uid-owner 1234 -j DROP I put those rules as is in the mentioned file and things seem to work fine. – Marwan Tanager Sep 28 '11 at 22:31
-
@Marwan I think that's right. Note that if you allow ssh access, you allow pretty much anything since ssh can trivially tunnels other protocols. – Gilles 'SO- stop being evil' Sep 28 '11 at 22:37
-
@Gilles'SO-stopbeingevil' I've stumbled upon your answer and was just wondering why do you suggest using mange table ? Can't we use filter table ? – golder3 May 01 '21 at 18:53
-
@golder3 Sorry, I don't remember and I don't know. – Gilles 'SO- stop being evil' May 01 '21 at 20:15
0
I would not use iptables for this.
I assume that A and B are associated with the fixed IPs ClientA and ClientB. I assume that your Internet-Proxy is ServerI (your Ubuntu-Server?).
So I would add a deny/drop routing entry from ClientA to ServerI.
I don't use Ubuntu - so I can't tell you which config file to use to make that setting permanent (surviving a reboot).
Perhaps someone can add that detail?
Nils
- 18,492
0
If firewalld is part of your setup, you can block network access for a specific user using a direct rule, ie:
/etc/firewalld/direct.xml
‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
<?xml version="1.0" encoding="utf-8"?>
<direct>
<chain ipv="ipv4"
table="filter"
chain="restrict_user_ipv4"/>
<rule ipv="ipv4"
table="filter"
chain="OUTPUT"
priority="1">-m owner --uid-owner user -j restrict_user_ipv4</rule>
<rule ipv="ipv4"
table="filter"
chain="restrict_user_ipv4"
priority="3">-j DROP</rule>
<chain ipv="ipv6"
table="filter"
chain="restrict_user_ipv6"/>
<rule ipv="ipv6"
table="filter"
chain="OUTPUT"
priority="1">-m owner --uid-owner user -j restrict_user_ipv6</rule>
<rule ipv="ipv6"
table="filter"
chain="restrict_user_ipv6"
priority="3">-j DROP</rule>
</direct>
Don't forget to reload with
# firewall-cmd --reload
References
Scrooge McDuck
- 1,084
iptablesreference and make this a wiki question? – Scrooge McDuck Nov 11 '21 at 04:24