How to disable internet for a user on a system
5,628
Solution 1
As described here, you can block all Internet access for certain users using this iptables
command:
sudo iptables -A OUTPUT -m owner --uid-owner {USERNAME} -j REJECT
sudo ip6tables -A OUTPUT -m owner --uid-owner {USERNAME} -j REJECT
If you want this command to run automatically when the system starts up, you should add it to the end of your /etc/rc.local
file.
While this won't make it impossible for those users to create sockets, it will block all outgoing traffic (like a firewall).
Solution 2
If firewalld is part of your setup, you can block network access for a specific user using a direct rule, es:
/etc/firewalld/direct.xml
‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
<?xml version="1.0" encoding="utf-8"?>
<direct>
<chain ipv="ipv4"
table="filter"
chain="restrict_user_ipv4"/>
<rule ipv="ipv4"
table="filter"
chain="OUTPUT"
priority="1">-m owner --uid-owner user -j restrict_user_ipv4</rule>
<rule ipv="ipv4"
table="filter"
chain="restrict_user_ipv4"
priority="3">-j DROP</rule>
<chain ipv="ipv6"
table="filter"
chain="restrict_user_ipv6"/>
<rule ipv="ipv6"
table="filter"
chain="OUTPUT"
priority="1">-m owner --uid-owner user -j restrict_user_ipv6</rule>
<rule ipv="ipv6"
table="filter"
chain="restrict_user_ipv6"
priority="3">-j DROP</rule>
</direct>
Don't forget to reload with
# firewall-cmd --reload
References
Related videos on Youtube
Author by
naftalimich
Updated on September 18, 2022Comments
-
naftalimich over 1 year
I know about changing owners/permissions on particular programs/files, but how can I control which users have access to the network card (NIC) or have the power to create network sockets?
-
ubuntu_uk_user over 8 yearshow would you then reverse this command?
-
Frxstrem over 8 years@user2662639 Simply reboot. Unless you've added the line to
/etc/rc.local
, it's not persistent, and if you have, then you can just remove that line. -
Frxstrem over 8 years@user2662639 (I think it's possible without rebooting but it's been three years since I wrote this answer and so I really can't remember anymore.)
-
Artyom over 7 yearsrun this: sudo iptables -D OUTPUT -m owner --uid-owner {USERNAME} -j REJECT ||||||||| to delete the rule that you've added, notice the "-D" switch.
-
Basj about 4 years@Frxstrem it would be interesting to edit the answer and include how to do it with newer versions (with systemd): what would be the simplest way instead of
/etc/rc.local
? (or maybe would this still work, even with systemd?) -
Scrooge McDuck over 2 years@Basj check my answer
-
Admin almost 2 yearsBig thank you! Googling half day for this. And here are my commands to block internet for a specific user but allow loopback: firewall-cmd --direct --permanent --add-chain ipv4 filter no_internet firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 1 -m owner --uid-owner some-user -j no_internet firewall-cmd --direct --permanent --add-rule ipv4 filter no_internet 2 -d 127.0.0.1/32 -j ACCEPT firewall-cmd --direct --permanent --add-rule ipv4 filter no_internet 3 -j DROP firewall-cmd --reload