[PLUG] Limiting Internet Access in Linux...

[Brent Jones]

On Thu, Nov 5, 2009 at 12:00 AM, Michael Robinson
<plug_1 at robinson-west.com> wrote:
>> > You could always deny first then white list local network hosts and add an
>> > allow statement for the proxy although you may need to do a tcpdump to see
>> > if it uses the same port every single time for an outbound request. So you
>> > filter based on the source and destinations for the proxy if the proxy port
>> > is the same each time. I wasn't aware of denials based on user name, so if
>> > you get that working I'd be interested in seeing how you set it up and how
>> > it works.
>> >
>> > Drew-
>
> It works like a charm.  What I'm doing is making a
> special chain hooked as rule 1 to the OUTPUT chain.
> I have to do user based packet blocking as dropping
> the user specification I'd probably block legitimate
> access to the Net from squid, postfix, yum,...
>
> As an example where 500 is a normal user...
> iptables -A OUTPUT_USER -m owner --uid-owner 500 \
>         -d 192.168.0.0/16 -j ACCEPT
> iptables -A OUTPUT_USER -m owner --uid-owner 500 \
>         -d 127.0.0.1 -j ACCEPT
> iptables -A OUTPUT_USER -m owner --uid-owner 500 \
>         -j DROP
>
> NOTE that the first rule in the OUTPUT chain is to
> jump to the OUTPUT_USER chain and it has to be or
> this probably won't work.  Remember that I'm
> firewalling an X enabled server so that people
> can't surf the Net from it.  The biggest problem
> with allowing surfing of the Net from a server on
> the Net is that I can't force the users to go
> through a filter.
>
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>

Wouldn't it be easier to put a transparent squid proxy upstream of the
connection, rather than mucking with ugly iptables rules per user,
etc.


-- 
Brent Jones
brent at servuhome.net