[PLUG] Limiting Internet Access in Linux...

drew wymore drew.wymore at gmail.com
Thu Nov 5 06:02:35 UTC 2009


On Wed, Nov 4, 2009 at 9:57 PM, drew wymore <drew.wymore at gmail.com> wrote:

>
>
> On Wed, Nov 4, 2009 at 9:48 PM, Michael Robinson <plug_1 at robinson-west.com
> > wrote:
>
>>
>> On Wed, 2009-11-04 at 21:33 -0800, drew wymore wrote:
>> > On Wed, Nov 4, 2009 at 9:27 PM, Michael Robinson
>> > <plug_1 at robinson-west.com>wrote:
>> >
>> > > Is there a way to allow squid and postfix and basically system
>> programs,
>> > > but not firefox, to head to the Internet?  Apparently, there is
>> > > something in iptables that allows blocking by user name...  anyone
>> > > have a recipe that will do the trick?
>> > >
>> > > Firefox plugins are not an option because there is no way at all to
>> > > protect them due to the way firefox is designed, ugh!
>> > >
>> > > A server may have X Windows and firefox and in that event be web
>> surfing
>> > > capable, but what if you don't want to allow web surfing from the
>> server
>> > > itself?
>> > >
>> > > My server needs to allow it's web server to be accessed from the Net
>> and
>> > > block people on it directly from surfing out at the same time.  It is
>> a
>> > > mail server in that it can do smtp to a Net host, but it is not imap
>> or
>> > > pop accessible from the Net and shouldn't be.  There is a squid
>> instance
>> > > on this server that needs to be able to go out to the Net.
>> > >
>> > > I'm thinking something like:
>> > >
>> > > iptables -m user ... is what I need.
>> > >
>> > > _______________________________________________
>> > > PLUG mailing list
>> > > PLUG at lists.pdxlinux.org
>> > > http://lists.pdxlinux.org/mailman/listinfo/plug
>> > >
>> >
>> > Why not just block outgoing port 80 and 443 requests? Problem solved.
>> > _______________________________________________
>>
>> No, that doesn't allow local area network access.  It would stop squid
>> from going out which would break the filtered proxy.
>>
>> I'm experimenting with:
>>
>> iptables -A OUTPUT_USER -m owner --uid-owner 500 -j DROP
>>
>> where 500 is a user id.
>>
>> _______________________________________________
>> PLUG mailing list
>> PLUG at lists.pdxlinux.org
>> http://lists.pdxlinux.org/mailman/listinfo/plug
>>
>
>
> You could always deny first then white list local network hosts and add an
> allow statement for the proxy although you may need to do a tcpdump to see
> if it uses the same port every single time for an outbound request. So you
> filter based on the source and destinations for the proxy if the proxy port
> is the same each time. I wasn't aware of denials based on user name, so if
> you get that working I'd be interesting in seeing how you set it up and how
> it works.
>
> Drew-
>

This may also be of some use.

 http://www.linux.com/archive/feature/121374



More information about the PLUG mailing list