It is possible to block all Internet access for a specific Linux user using iptables, this could be very useful.
Put this entry in iptables and the Internet access for the user test5 will be blocked. This is a good use of the iptables firewall.
4.4 Fri Mar 06 jason@Yog-Sothoth 0: $ sudo iptables -A OUTPUT -p all -m owner --uid-owner test5 -j DROP |
This is how to block all Internet access for a certain user group “test5group”.
sudo iptables -A OUTPUT -p all -m owner --gid-owner test5group -j DROP |
Use the –suppl-groups flag to check all groups. The –gid-owner flag will check only the primary group of the user. Thanks to Gethin for pointing this out.
This is what the user entry looks like in iptables. This is a totally effective way to block Internet access for a certain user. Any tools that could be used to attempt a bypass may need root access anyway. I am not sure if a netcat listener on a remote machine would even work. It might not be that easy to bypass iptables.
-A OUTPUT -m owner --uid-owner 1003 -j DROP |
So, give this a try and see how you go with this rule. This could be useful in certain circumstances.
Trying to ping a website as the blocked user gives me this.
test5@Yog-Sothoth:~$ ping google.com PING google.com (216.58.200.110) 56(84) bytes of data. ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ^C --- google.com ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2042ms |
This is to be expected. So this does work very well to disable Internet access. To enable the iptables rules to be saved upon each reboot, use this package. This is a good way to do this.
Another way to have iptables entries applied on each boot. It is up to you which method you use.
https://securitronlinux.com/bejiitaswrath/how-to-have-iptables-entries-applied-on-boot/.
To list all applied iptables rules, this command will suffice.
┌──[jason@11000000.10101000.00000001.00000010]─[~] └──╼ ╼ $ sudo iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N LIBVIRT_FWI -N LIBVIRT_FWO -N LIBVIRT_FWX -N LIBVIRT_INP -N LIBVIRT_OUT -A INPUT -j LIBVIRT_INP -A FORWARD -j LIBVIRT_FWX -A FORWARD -j LIBVIRT_FWI -A FORWARD -j LIBVIRT_FWO -A OUTPUT -j LIBVIRT_OUT -A OUTPUT -m owner --uid-owner 1001 -j DROP -A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT -A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT -A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT -A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT |
This must be run as root.
List all iptables rules in a specific chain.
┌──[jason@11000000.10101000.00000001.00000010]─[~] └──╼ ╼ $ sudo iptables -S OUTPUT -P OUTPUT ACCEPT -A OUTPUT -j LIBVIRT_OUT -A OUTPUT -m owner --uid-owner 1001 -j DROP |
Delete the iptables rule previously applied and restore Internet access. This works right away.
┌──[jason@11000000.10101000.00000001.00000010]─[~] └──╼ ╼ $ sudo iptables -D OUTPUT -m owner --uid-owner 1001 -j DROP |
The advice on groups is slightly incorrect: when you use the –gid-owner option it only checks the primary group of the user. You need to include the –suppl-groups flag for it to check all groups.
Thank you for this post.
Ping wasn’t allowed anymore.
However, I was still able to download stuff via wget.
Hi,
I used this: sudo iptables -A OUTPUT -p all -m owner –uid-owner test5 -j DROP
It worked perfectly.
How do I enable the internet back?
-j ACCEPT didn’t work.