Networking – How to Disable Networking for Specific Users


I'm working on Ubuntu/Mint distro meant to be ran Live. There are multiple accounts that fall into three general groups: Admin, Internet and Security.

  • Admin is obviously has the authority to do whatever.
  • Internet account is for using the Internet.

The other accounts are Security accounts. Under no circumstances is any networking Internet, printer, Bluetooth, WiFi devices, etc, allowed.

What I'd like to do is remove the network drivers from the kernel, but that would disable the accounts that need Internet.

What are the lowest level way(s) to disable Internet for these security accounts? I'm looking for impossible to connect solutions.

Best Answer

You can do that with iptables.

On a terminal add the rule to iptables

sudo iptables -A OUTPUT -p all -m owner --uid-owner username -j DROP

where username is the user that you want to disable the Internet connection. Save the file and exit.

This will add a rule to iptables saying that any outgoing packages created by the specified user will be automatically dropped by iptables.

If you want to do the same for a complete group I sugest that instead of --uid username you use --gid-owner groupname, that will have the same effect for a complete user group.

So to prevent the group Security from accessing the Internet the command would look something like this

sudo iptables -A OUTPUT -p all -m owner --gid-owner security -j DROP

To make the rule permanent you can create a script in /etc/network/if-up.d/, add the necessary lines to it and make it executable.

As an option use iptables-save to save your current rules and restore them on boot.

Save the current iptables rules

sudo iptables-save > /etc/iptables_rules

Open /etc/rc.local with your favorite text editor and at the end of the file add

/sbin/iptables-restore < /etc/iptables_rules

That will restore the saved rules on each boot.

For more information visit the [iptables manpage] page for more information on several iptables options.

Related Question