Block a user from accessing internet on Linux

Block a user from accessing internet on Linux How do I block a user from accessing the internet under Linux?
Asked by: Guest \| Views: 307

Total answers/comments: 1

Comments display order:

Guest [Entry]

"First of all

iptables is the right command to do the job. But generaly you would use a reasonable amount of commands to set up a complete table. 1 command is one alternation to the table.

To find out the tables already in place and the default policy if no rules are matched use iptables -L. Usualy ine would write a bash script containing all the iptables setting. Where, at first you flush all the chains and then put everything in at once. This is to prevent losing track of what's in and out.

Also, check your init implementation if there are init scripts available to make your changes persistent over power cycles. (Normally your tables are lost after reboot).

Just create a script to include all your iptables commands:

#!/bin/bash
# Flush all chains
iptables -F

#Set defaults policies
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# Don't block localhost traffic
iptables -A INPUT -i lo -j ACCEPT
# Don't re-evaluate already accepted connections
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

#Allowed incomming tcp ports
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT # SSH
# Add watherver you wish to allow more

See this article for more tips on standard iptable rules.

Now to answer your question

First we needed to make sure you have a basic firewall up and running. Now, you can add your rule to your script to take effect. Please take in account suggestions from the other answers: an user can easily by-pass two blocked ports with a proxy or alternate ports.

Furthermore, your syntax was not correct. --dport can use only one port. You need to use the multi port module or chain multiple rules to do so.

However, blocking all outgoing connections for this user, will cause many applications to fail because they depend on the lo connection located at localhost or 127.0.0.1. (Eg. if you are using KDM/KDE, your system freezes up during login.)

So you need to exclude the lo network interface from your rule. If still you want to allow the user to access only certain services, just create a rule before the DROP rule allowing those ports. I would suggest the following:

# Don't re-evaluate already ACCEPTed connections:
iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Allow an outgoing connection, like SSH
iptables -A OUTPUT -p tcp --dport 22 -m owner --uid-owner $USERNAME -j ACCEPT

# Drop anything else that not on localhost
iptables -A OUTPUT ! -o lo -m owner --uid-owner $USERNAME -j DROP"