[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTikru-pmMAnS-dqjYT7xJC_X21rVNBpjg_2LDmWB@mail.gmail.com>
Date: Wed, 25 Aug 2010 13:09:34 +0200
From: Elmar Stellnberger <estellnb@...il.com>
To: netdev@...r.kernel.org, netfilter-devel@...r.kernel.org
Subject: block network access for certain users/groups
Please answer my question:
It has not been answered, yet.
Thanks for hints like whether to use DROP or REJECT but please answer
my question!
I wanna be pointed on how to implement a per user package selection.
Something similar pretends to be already implemented if you view the
man page, but
it is only implemented for outgoing packages and it even does not work
correctly
(blocking outgoing ICMP-ping requests but with lynx you can happily
view localhost:631
though the rule is on top and applies to any kind of package (raw,
tcp, udp)). We have
already checked this thouroughly.
I need to block network access for certain users/groups, fully:
iptables -A mychain -m owner --gid-owner blockedusergroup -j REJECT
...drops ping packages in the output chain but lets my user happily
connect to localhost:631 or any other http address. In deed the rule
above is therefore pretty useless.
I need to block ALL incoming and outgoing packages for a certain user/group.
At the moment there is only insufficient blocking for outgoing
packages available.
Can you help me?
What will I have to do to implement network access restrictions on a
per user/group basis?
Logging such packages is already possible. Why is blocking them not?
... and yes I have already checked the whole iptables -L -v.
The rule is there and would have been supposed to work.
Yours,
Elmar Stellnberger
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists