Re: block network access for certain users/groups

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 7/29/10 10:09 PM, Elmar Stellnberger wrote:
iptables -A mychain -m owner --gid-owner blockedusergroup -j DROP

For starters, consider using the REJECT target instead of DROP if for no other reason than that it will make your engineering easier:

	http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject

	http://www.chrisbrenton.org/2009/07/why-firewall-reject-rules-are-better-than-firewall-drop-rules/


What will I have to do to implement network access restrictions on a per
user/group basis?

Follow your chains in sequence and make sure that the packets going to or from that group have only one way to go. If the packets are getting through, then there is some chain or rule allowing them through before the packet gets to the --gid-owner rule you have above.

/Lars
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux