Block a user from accessing internet on Linux
10,547
And then I do ssh myhost.somewhere.onthe.internet.example.com -D 12345
, point my browser to use SOCKS proxy localhost:12345
, and on I go on my merry way.
In other words, blacklisting specific ports is not sufficient; you may want to block all network access:
iptables -A OUTPUT -m owner --uid-owner $USERNAME -j DROP
Note that there may be a need to access certain network resources (e.g. local network shares), so you may need to whitelist those (or perhaps whitelist the local network block).
Related videos on Youtube
Author by
Christoph Rüegg
Updated on September 17, 2022Comments
-
Christoph Rüegg over 1 year
How do I block a user from accessing the internet under Linux?
I'm trying the following:
iptables -A OUTPUT -p tcp --dport 80,443 -m owner --uid-owner $USERNAME -j DROP
Is that the right syntax or command?
-
xenoterracide about 14 yearsnot being familiar with -m owner you could probably just remove -p tcp --dport 80,443 and prevent ALL tcp/ip access
-
iglvzx over 12 yearsIf you have control over their access point (e.g. router), you could block their computer's physical addresses and whatnot.
-
killermist almost 12 years@iglvzx That would block the whole machine, and not a specific user, which is what it looks like was being asked.
-
-
geek about 14 yearsThis is correct only for web servers running on standard ports. This is the case for most web servers, but generally a web server can listen on any port. So it's possible for that user to set up a remote web server running on a non-standart port, host a CGI proxy web script there and browse the Internet over it.
-
alper over 2 yearsHow can I
whitelist the local network block
?