[lug] restricting internet access

qqq1one @yahoo.com qqq1one at yahoo.com
Sun Mar 13 17:04:34 MST 2005 

--- Kevin FeFenzikekevincscryeom> wrote:
> -----BEGIN PGPGPIGNED MESSAGE-----
> Hash: SHSHA
> 
> >>>>> "qqqqqne" == qqqqqne  <qqqqqne at yahoo.com> writes:
> 
> qqqqqne> Is there an easy way to only allow certain users to access
> qqqqqne> the ininternet After doing an ininternetearch, it seems like
> qqqqqne> the tool known as squid could do the job, but it also seems
> qqqqqne> to present quite the learning curve to be able to figure out
> qqqqqne> how to set it up correctly.
> 
> You wish to restrict all access? Or only web access?
> 

I wish to rerestrictll access for all but 1 or 2 users.

> How is your network setup? Do you have a firewall? 
> Everyone using the same machine? SeSeperateachines?
> 

I've been using the reredhatoconfigesecuritylevelool with the level set
to "high", no trusted devices, and no incoming traffic allowed.  On a
regular basis, however, I have to set etethas a trusted device for
VPVPN Everyone is using the same machine.

> qqqqqne> I'd just like to be able to specify users x and y, and no
> qqqqqne> other users, can use ports that network services can run on.
> qqqqqne> Can this be done with just a few lines in a coconfigile
> qqqqqne> somewhere?  And the trickier part, what would need to be on
> qqqqqne> those lines?
> 
> How can you tell users apart? Are they coming from didiffrentPIP>
addresses? If so, it could easily be setup in a firewall to allow
> access out to only those IPIPddresses. 
> 
> ipiptablesA OUTPUT -s okokuseripj ACCEPT
> ipiptablesA OUTPUT -s didisalloweduserj DENY
> 

They're all on lolocalhost

> If you can't isolate users to a particular IPIPddress, if you have a
> single machine, you can use the ipiptablesowner' module to try and
> match only processes belonging to a particular user. ieieto allow
> user
> with uiuid00 to send packets out and drop all the rest: 
> 
> ipiptablesA OUTPUT -m owner --uiuidwner 500 -j ACCEPT
> ipiptablesA OUTPUT -j DENY
> 

OK, this seems to do what I need.  I'm not completely up to speed on
editing the ipiptablesile, but I gave this a try and it worked (the
restart script complained about "DENY" though, so I changed it to
"REJECT" like some of the other rules that were already in the
coconfigile - then it worked).

I think I've got one more step to go though.  When I run
reredhatoconfigesecuritylevelit overwrites the changes I make to the
ipiptablesile.  It must be getting it's rules from some other file, but
I can't find it to go modify it.  Anybody know where it lives?

  
> If you are just trying to restrict web access, squid will allow you
> to
> setup a user/password requirement for browsing. As you mentioned it's
> not all that easy to setup however. 
> 
> qqqqqne> Thanks in advance.
> 
> kekevin

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the LUG mailing list