[lug] restricting internet access

[Kevin Fenzi]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>>>>> "qqq1one" == qqq1one  <qqq1one at yahoo.com> writes:

qqq1one> Is there an easy way to only allow certain users to access
qqq1one> the internet?  After doing an internet search, it seems like
qqq1one> the tool known as squid could do the job, but it also seems
qqq1one> to present quite the learning curve to be able to figure out
qqq1one> how to set it up correctly.

You wish to restrict all access? Or only web access?

How is your network setup? Do you have a firewall? 
Everyone using the same machine? Seperate machines?

qqq1one> I'd just like to be able to specify users x and y, and no
qqq1one> other users, can use ports that network services can run on.
qqq1one> Can this be done with just a few lines in a config file
qqq1one> somewhere?  And the trickier part, what would need to be on
qqq1one> those lines?

How can you tell users apart? Are they coming from diffrent IP
addresses? If so, it could easily be setup in a firewall to allow
access out to only those IP addresses. 

iptables -A OUTPUT -s okuserip -j ACCEPT
iptables -A OUTPUT -s disalloweduser -j DENY

If you can't isolate users to a particular IP address, if you have a
single machine, you can use the iptables 'owner' module to try and
match only processes belonging to a particular user. ie, to allow user
with uid 500 to send packets out and drop all the rest: 

iptables -A OUTPUT -m owner --uid-owner 500 -j ACCEPT
iptables -A OUTPUT -j DENY

If you are just trying to restrict web access, squid will allow you to
setup a user/password requirement for browsing. As you mentioned it's
not all that easy to setup however. 

qqq1one> Thanks in advance.

kevin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>

iD8DBQFCNISa3imCezTjY0ERAu0xAJkBy33K21nrRHVwVtjgzDlTWKnODwCfXSEf
BWGpxAnwdKwn0lgg0vErhFk=
=+A1t
-----END PGP SIGNATURE-----