[PLUG] Limiting Internet Access in Linux...
Michael Robinson
plug_1 at robinson-west.com
Thu Nov 5 08:00:19 UTC 2009
> > You could always deny first then white list local network hosts and add an
> > allow statement for the proxy although you may need to do a tcpdump to see
> > if it uses the same port every single time for an outbound request. So you
> > filter based on the source and destinations for the proxy if the proxy port
> > is the same each time. I wasn't aware of denials based on user name, so if
> > you get that working I'd be interested in seeing how you set it up and how
> > it works.
> >
> > Drew-
It works like a charm. What I'm doing is making a
special chain hooked as rule 1 to the OUTPUT chain.
I have to do user based packet blocking as dropping
the user specification I'd probably block legitimate
access to the Net from squid, postfix, yum,...
As an example where 500 is a normal user...
iptables -A OUTPUT_USER -m owner --uid-owner 500 \
-d 192.168.0.0/16 -j ACCEPT
iptables -A OUTPUT_USER -m owner --uid-owner 500 \
-d 127.0.0.1 -j ACCEPT
iptables -A OUTPUT_USER -m owner --uid-owner 500 \
-j DROP
NOTE that the first rule in the OUTPUT chain is to
jump to the OUTPUT_USER chain and it has to be or
this probably won't work. Remember that I'm
firewalling an X enabled server so that people
can't surf the Net from it. The biggest problem
with allowing surfing of the Net from a server on
the Net is that I can't force the users to go
through a filter.
More information about the PLUG
mailing list