Hi I would like to block one user on all of the linux machines (Debian Wheezy) from being able to surf the internet, chat and email. However they are using linux based Rip stations for large format printers so they need to be able to access everything on the local network. They do not, however need to access any thing outside of the local network.
Block Internet access, but not network access for a user
firewallnetworking
Related Solutions
This should do it:
$ qemu-system-x86_64 -net nic -net user,restrict=on,smb=/path/to/shared/folder ...
From the manpage:
-netdev user,id=id[,option][,option][,...] -net user[,option][,option][,...] Use the user mode network stack which requires no administrator privilege to run. Valid options are: ... restrict=on|off If this option is enabled, the guest will be isolated, i.e. it will not be able to contact the host and no guest IP packets will be routed over the host to the outside. This option does not affect any explicitly set forwarding rules. ... smb=dir[,smbserver=addr] When using the user mode network stack, activate a built-in SMB server so that Windows OSes can access to the host files in dir transparently. The IP address of the SMB server can be set to addr. By default the 4th IP in the guest network is used, i.e. x.x.x.4. In the guest Windows OS, the line: 10.0.2.4 smbserver must be added in the file C:\WINDOWS\LMHOSTS (for windows 9x/Me) or C:\WINNT\SYSTEM32\DRIVERS\ETC\LMHOSTS (Windows NT/2000). Then dir can be accessed in \\smbserver\qemu. Note that a SAMBA server must be installed on the host OS. QEMU was tested successfully with smbd versions from Red Hat 9, Fedora Core 3 and OpenSUSE 11.x.
For this to work, samba
must be installed on the host system; it doesn't need to be configured or running, just the smbd
binary is needed, which will be run with an ad-hoc configuration and no privileges.
Note
In windows 7, you can connect to the shared folder from Computer -> Add Network Location -> Choose a custom network location -> \\10.0.2.4\qemu.
If windows insists on opening the "Connect to the Internet" wizard, then just close it; the "Add Network Location" wizard is still running, and you can reopen its window by clicking on the taskbar icon.
Best Answer
Use
iptables
rule to block outbound traffic for a specific user:http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html
This way you even have full control over ranges of ips that get through (for instance, only allow LAN address block). It's probably useful also to block only specific ports. However... if you allow ssh, a savvy user will set up a tunnel and get out of the firewall. If you allow ssh to local machines, this firewall will have to be set up on all machines the user can access, otherwise, you can just tunnel to the nearest unrestricted machine and access the web from there.
It all depends on what kind of users you have. If the user must be able to use ssh, and you really want to block him out, then you have a problem. If it's meant for non-tech users without ssh knowledge, just block all outbound traffic and close ssh ports.