[lug] restricting internet access
qqq1one @yahoo.com
qqq1one at yahoo.com
Sun Mar 13 21:42:11 MST 2005
Looks like my last post got garbled somehow. Here it is again
(hopefully ungarbled).
--- Kevin Fenzi <kevin at scrye.com> wrote:
> -----BEGIN PGPGPIGNED MESSAGE-----
> Hash: SHSHA
>
> >>>>> "qqq1one" == qqq1one <qqq1one at yahoo.com> writes:
>
> qqq1one> Is there an easy way to only allow certain users to access
> qqq1one> the internet After doing an internet search, it seems like
> qqq1one> the tool known as squid could do the job, but it also seems
> qqq1one> to present quite the learning curve to be able to figure out
> qqq1one> how to set it up correctly.
>
> You wish to restrict all access? Or only web access?
>
I wish to restrict all access for all but 1 or 2 users.
> How is your network setup? Do you have a firewall?
> Everyone using the same machine? Separate machines?
>
I've been using the redhat-config-securitylevel tool with the level set
to "high", no trusted devices, and no incoming traffic allowed. On a
regular basis, however, I have to set eth0 as a trusted device for
VPN. Everyone is using the same machine.
> qqq1one> I'd just like to be able to specify users x and y, and no
> qqq1one> other users, can use ports that network services can run on.
> qqq1one> Can this be done with just a few lines in a coconfigile
> qqq1one> somewhere? And the trickier part, what would need to be on
> qqq1one> those lines?
>
> How can you tell users apart? Are they coming from different IP
> addresses? If so, it could easily be setup in a firewall to allow
> access out to only those IPddresses.
>
> iptables -A OUTPUT -s okuseripj ACCEPT
> iptables -A OUTPUT -s disalloweduserj DENY
>
They're all on localhost.
> If you can't isolate users to a particular IP address, if you have a
> single machine, you can use the iptables 'owners' module to try and
> match only processes belonging to a particular user. ie, to allow
> user
> with uid 500 to send packets out and drop all the rest:
>
> iptables -A OUTPUT -m owner --uid-owner 500 -j ACCEPT
> iptables -A OUTPUT -j DENY
>
OK, this seems to do what I need. I'm not completely up to speed on
editing the iptables file, but I gave this a try and it worked (the
restart script complained about "DENY" though, so I changed it to
"REJECT" like some of the other rules that were already in the
config file - then it worked).
I think I've got one more step to go though. When I run
redhat-config-securitylevel, it overwrites the changes I make to the
iptables file. It must be getting it's rules from some other file, but
I can't find it to go modify it. Anybody know where it lives?
> If you are just trying to restrict web access, squid will allow you
> to
> setup a user/password requirement for browsing. As you mentioned it's
> not all that easy to setup however.
>
> qqq1one> Thanks in advance.
>
> kevin
__________________________________
Do you Yahoo!?
Yahoo! Mail - Easier than ever with enhanced search. Learn more.
http://info.mail.yahoo.com/mail_250
More information about the LUG
mailing list