How to disable internet for a user on a system

networking internet security users firewall

5,628

Solution 1

As described here, you can block all Internet access for certain users using this iptables command:

sudo iptables -A OUTPUT -m owner --uid-owner {USERNAME} -j REJECT
sudo ip6tables -A OUTPUT -m owner --uid-owner {USERNAME} -j REJECT

If you want this command to run automatically when the system starts up, you should add it to the end of your /etc/rc.local file.

While this won't make it impossible for those users to create sockets, it will block all outgoing traffic (like a firewall).

Solution 2

If firewalld is part of your setup, you can block network access for a specific user using a direct rule, es:

/etc/firewalld/direct.xml
‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
<?xml version="1.0" encoding="utf-8"?>
<direct>
  <chain ipv="ipv4" 
         table="filter" 
         chain="restrict_user_ipv4"/>
  <rule ipv="ipv4" 
        table="filter" 
        chain="OUTPUT" 
        priority="1">-m owner --uid-owner user -j restrict_user_ipv4</rule>
  <rule ipv="ipv4" 
        table="filter" 
        chain="restrict_user_ipv4" 
        priority="3">-j DROP</rule>
  <chain ipv="ipv6" 
         table="filter" 
         chain="restrict_user_ipv6"/>
  <rule ipv="ipv6" 
        table="filter" 
        chain="OUTPUT" 
        priority="1">-m owner --uid-owner user -j restrict_user_ipv6</rule>
  <rule ipv="ipv6" 
        table="filter" 
        chain="restrict_user_ipv6" 
        priority="3">-j DROP</rule>
</direct>

Don't forget to reload with

# firewall-cmd --reload

References

Block Outgoing Network Access For a Single User Using Firewalld - Red Hat Customer Portal

5,628

naftalimich

Updated on September 18, 2022

Comments

naftalimich over 1 year

I know about changing owners/permissions on particular programs/files, but how can I control which users have access to the network card (NIC) or have the power to create network sockets?
ubuntu_uk_user over 8 years

how would you then reverse this command?
Frxstrem over 8 years

@user2662639 Simply reboot. Unless you've added the line to /etc/rc.local, it's not persistent, and if you have, then you can just remove that line.
Frxstrem over 8 years

@user2662639 (I think it's possible without rebooting but it's been three years since I wrote this answer and so I really can't remember anymore.)
Artyom over 7 years

run this: sudo iptables -D OUTPUT -m owner --uid-owner {USERNAME} -j REJECT ||||||||| to delete the rule that you've added, notice the "-D" switch.
Basj about 4 years

@Frxstrem it would be interesting to edit the answer and include how to do it with newer versions (with systemd): what would be the simplest way instead of /etc/rc.local? (or maybe would this still work, even with systemd?)
Scrooge McDuck over 2 years

@Basj check my answer
Admin almost 2 years

Big thank you! Googling half day for this. And here are my commands to block internet for a specific user but allow loopback: firewall-cmd --direct --permanent --add-chain ipv4 filter no_internet firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 1 -m owner --uid-owner some-user -j no_internet firewall-cmd --direct --permanent --add-rule ipv4 filter no_internet 2 -d 127.0.0.1/32 -j ACCEPT firewall-cmd --direct --permanent --add-rule ipv4 filter no_internet 3 -j DROP firewall-cmd --reload