block specific users from going to the internet

Support for security such as Firewalls and securing linux
Post Reply
roland_br
Posts: 56
Joined: 2006/06/09 09:38:21

block specific users from going to the internet

Post by roland_br » 2012/07/18 07:23:32

The connection to the server is done with nomachine or vnc.
Within this connection some users are starting a terminal session, which runs a specific application.
This application will send sometimes emails.

Some of these users are not allowed to connect to the internet, more specific, no surfing.

I suppose this is a common problem in companies.

I tried to use iptables
iptables -A OUTPUT -p tcp -m owner --uid-owner (user name to block) -j DROP

But

this will prevent these users from connecting to this server.
So OUTPUT is somehow also INPUT?

Of course port 587 should stay open for sendmail.

Has anybody a solution for this?

Roland

unspawn
Posts: 172
Joined: 2006/12/11 12:28:52

Re: block specific users from going to the internet

Post by unspawn » 2012/07/20 22:55:40

Could be something like [code]iptables -A OUTPUT -o eth0 -p tcp ! -d $LANRANGE -m state --state NEW -m owner --uid-owner $UID -j DROP[/code] where "[i]-m state --state NEW[/i]" only considers new (not yet tracked) connections and "[i]! -d $LANRANGE[/i]" makes it apply to only connections trying to escape your LAN range.

Post Reply