[PLUG] Limiting Internet Access in Linux...
Michael Robinson
plug_1 at robinson-west.com
Thu Nov 5 05:48:44 UTC 2009
On Wed, 2009-11-04 at 21:33 -0800, drew wymore wrote:
> On Wed, Nov 4, 2009 at 9:27 PM, Michael Robinson
> <plug_1 at robinson-west.com>wrote:
>
> > Is there a way to allow squid and postfix and basically system programs,
> > but not firefox, to head to the Internet? Apparently, there is
> > something in iptables that allows blocking by user name... anyone
> > have a recipe that will do the trick?
> >
> > Firefox plugins are not an option because there is no way at all to
> > protect them due to the way firefox is designed, ugh!
> >
> > A server may have X Windows and firefox and in that event be web surfing
> > capable, but what if you don't want to allow web surfing from the server
> > itself?
> >
> > My server needs to allow it's web server to be accessed from the Net and
> > block people on it directly from surfing out at the same time. It is a
> > mail server in that it can do smtp to a Net host, but it is not imap or
> > pop accessible from the Net and shouldn't be. There is a squid instance
> > on this server that needs to be able to go out to the Net.
> >
> > I'm thinking something like:
> >
> > iptables -m user ... is what I need.
> >
> > _______________________________________________
> > PLUG mailing list
> > PLUG at lists.pdxlinux.org
> > http://lists.pdxlinux.org/mailman/listinfo/plug
> >
>
> Why not just block outgoing port 80 and 443 requests? Problem solved.
> _______________________________________________
No, that doesn't allow local area network access. It would stop squid
from going out which would break the filtered proxy.
I'm experimenting with:
iptables -A OUTPUT_USER -m owner --uid-owner 500 -j DROP
where 500 is a user id.
More information about the PLUG
mailing list