Let's say there are two users on the LAN, A and B. How do I restrict user A from internet access using iptables rules and saving the rules so that after reboot, they are still effective. Suppose also that I want to grant that user access at some point; how do I enable it again? I am using Ubuntu Linux 10.04. It would be nice if anybody show me how to do it from the command line, as I often login to the machine using a local ssh login.
Linux – How to Restrict Internet Access for a Particular User Using Iptables
internetiptableslinuxusers
Best Answer
I assume that users A and B are using the same Linux machine(s) where you are the administrator. (It's not completely clear from your question. If A and B are have their own computers which they are administrators on, it's a completely different problem.)
The following command will prevent the user with uid 1234 from sending packets on the interface
eth0:I recommend reading the Ubuntu iptables guide to get basic familiarity with the tool (and refer to the man page for advanced things like the mangle table).
The user will still be able to run ping (because it's setuid root), but not anything else. The user will still be able to connect to a local proxy if that proxy was started by another user.
To remove this rule, add
-Dto the command above.To make the rule permanent, add it to
/etc/network/if-up.d/my-user-restrictions(make that an executable script beginning with#!/bin/sh). Or useiptables-save(see the Ubuntu iptables guide for more information).