On 7/29/10 10:09 PM, Elmar Stellnberger wrote:
iptables -A mychain -m owner --gid-owner blockedusergroup -j DROP
For starters, consider using the REJECT target instead of DROP if for no other reason than that it will make your engineering easier:
http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject http://www.chrisbrenton.org/2009/07/why-firewall-reject-rules-are-better-than-firewall-drop-rules/
What will I have to do to implement network access restrictions on a per user/group basis?
Follow your chains in sequence and make sure that the packets going to or from that group have only one way to go. If the packets are getting through, then there is some chain or rule allowing them through before the packet gets to the --gid-owner rule you have above.
/Lars -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html