Re: block network access for certain users/groups

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Lars Nooden <lars.curator@gmail.com>
To: Elmar Stellnberger <estellnb@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: block network access for certain users/groups
Date: Thu, 29 Jul 2010 22:33:05 +0300	[thread overview]
Message-ID: <4C51D771.1080904@gmail.com> (raw)
In-Reply-To: <op.vgmcupy42qajpl@imac.local>

On 7/29/10 10:09 PM, Elmar Stellnberger wrote:
> iptables -A mychain -m owner --gid-owner blockedusergroup -j DROP

For starters, consider using the REJECT target instead of DROP if for no 
other reason than that it will make your engineering easier:

	http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject

	http://www.chrisbrenton.org/2009/07/why-firewall-reject-rules-are-better-than-firewall-drop-rules/

> What will I have to do to implement network access restrictions on a per
> user/group basis?

Follow your chains in sequence and make sure that the packets going to 
or from that group have only one way to go.  If the packets are getting 
through, then there is some chain or rule allowing them through before 
the packet gets to the --gid-owner rule you have above.

/Lars

next prev parent reply	other threads:[~2010-07-29 19:33 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-07-29 19:09 block network access for certain users/groups Elmar Stellnberger
2010-07-29 19:33 ` Lars Nooden [this message]
2010-07-30  9:00   ` Jan Engelhardt
2010-07-30 11:34     ` Lars Nooden
2010-07-30 20:10       ` Elmar Stellnberger
2010-07-31  5:04         ` Richard Horton
     [not found] <AANLkTin8w74SAe67ZPqPE0Q=0fPpZOHnTCnjAT+AduCY@mail.gmail.com>
2010-08-25 11:09 ` Elmar Stellnberger
2010-08-25 11:58   ` Tetsuo Handa
2010-08-26 12:28     ` Tetsuo Handa
2010-08-30 11:36       ` Elmar Stellnberger
2010-08-30 11:55         ` Tetsuo Handa
2010-08-25 16:02   ` Hagen Paul Pfeifer
  -- strict thread matches above, loose matches on Subject: below --
2010-07-29 19:09 Elmar Stellnberger
2010-07-29 19:33 ` Richard Horton

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4C51D771.1080904@gmail.com \
    --to=lars.curator@gmail.com \
    --cc=estellnb@gmail.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.