[PLUG] Limiting Internet Access in Linux...
drew wymore
drew.wymore at gmail.com
Thu Nov 5 05:57:24 UTC 2009
On Wed, Nov 4, 2009 at 9:48 PM, Michael Robinson
<plug_1 at robinson-west.com>wrote:
>
> On Wed, 2009-11-04 at 21:33 -0800, drew wymore wrote:
> > On Wed, Nov 4, 2009 at 9:27 PM, Michael Robinson
> > <plug_1 at robinson-west.com>wrote:
> >
> > > Is there a way to allow squid and postfix and basically system
> programs,
> > > but not firefox, to head to the Internet? Apparently, there is
> > > something in iptables that allows blocking by user name... anyone
> > > have a recipe that will do the trick?
> > >
> > > Firefox plugins are not an option because there is no way at all to
> > > protect them due to the way firefox is designed, ugh!
> > >
> > > A server may have X Windows and firefox and in that event be web
> surfing
> > > capable, but what if you don't want to allow web surfing from the
> server
> > > itself?
> > >
> > > My server needs to allow it's web server to be accessed from the Net
> and
> > > block people on it directly from surfing out at the same time. It is a
> > > mail server in that it can do smtp to a Net host, but it is not imap or
> > > pop accessible from the Net and shouldn't be. There is a squid
> instance
> > > on this server that needs to be able to go out to the Net.
> > >
> > > I'm thinking something like:
> > >
> > > iptables -m user ... is what I need.
> > >
> > > _______________________________________________
> > > PLUG mailing list
> > > PLUG at lists.pdxlinux.org
> > > http://lists.pdxlinux.org/mailman/listinfo/plug
> > >
> >
> > Why not just block outgoing port 80 and 443 requests? Problem solved.
> > _______________________________________________
>
> No, that doesn't allow local area network access. It would stop squid
> from going out which would break the filtered proxy.
>
> I'm experimenting with:
>
> iptables -A OUTPUT_USER -m owner --uid-owner 500 -j DROP
>
> where 500 is a user id.
>
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
You could always deny first then white list local network hosts and add an
allow statement for the proxy although you may need to do a tcpdump to see
if it uses the same port every single time for an outbound request. So you
filter based on the source and destinations for the proxy if the proxy port
is the same each time. I wasn't aware of denials based on user name, so if
you get that working I'd be interesting in seeing how you set it up and how
it works.
Drew-
More information about the PLUG
mailing list