Запретить пользователю доступ к интернету в Linux

А потом я ssh myhost.somewhere.onthe.internet.example.com -D 12345указываю своему браузеру на использование прокси-сервера SOCKS localhost:12345, и я продолжаю свой веселый путь.

Другими словами, внесение в черный список определенных портов недостаточно; Вы можете заблокировать весь доступ к сети:

iptables -A OUTPUT -m owner --uid-owner $USERNAME -j DROP 

Обратите внимание, что может потребоваться доступ к определенным сетевым ресурсам (например, к общим сетевым ресурсам), поэтому вам может потребоваться внести их в белый список (или, возможно, в белый список блока локальной сети).

Эта команда блокирует доступ пользователя только к World Wide Web, а не ко всему Интернету.

Кроме того, он должен работать, предполагая, что он запущен на той же машине, на $USERNAMEкоторой работает.

First of all

iptables is the right command to do the job. But generaly you would use a reasonable amount of commands to set up a complete table. 1 command is one alternation to the table.

To find out the tables already in place and the default policy if no rules are matched use iptables -L. Usualy ine would write a bash script containing all the iptables setting. Where, at first you flush all the chains and then put everything in at once. This is to prevent losing track of what's in and out.

Also, check your init implementation if there are init scripts available to make your changes persistent over power cycles. (Normally your tables are lost after reboot).

Just create a script to include all your iptables commands:

#!/bin/bash # Flush all chains iptables -F #Set defaults policies iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP # Don't block localhost traffic iptables -A INPUT -i lo -j ACCEPT # Don't re-evaluate already accepted connections iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT #Allowed incomming tcp ports iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT # SSH # Add watherver you wish to allow more 

See this article for more tips on standard iptable rules.

Now to answer your question

First we needed to make sure you have a basic firewall up and running. Now, you can add your rule to your script to take effect. Please take in account suggestions from the other answers: an user can easily by-pass two blocked ports with a proxy or alternate ports.

Furthermore, your syntax was not correct. --dport can use only one port. You need to use the multi port module or chain multiple rules to do so.

However, blocking all outgoing connections for this user, will cause many applications to fail because they depend on the lo connection located at localhost or 127.0.0.1. (Eg. if you are using KDM/KDE, your system freezes up during login.)

So you need to exclude the lo network interface from your rule. If still you want to allow the user to access only certain services, just create a rule before the DROP rule allowing those ports. I would suggest the following:

# Don't re-evaluate already ACCEPTed connections: iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Allow an outgoing connection, like SSH iptables -A OUTPUT -p tcp --dport 22 -m owner --uid-owner $USERNAME -j ACCEPT # Drop anything else that not on localhost iptables -A OUTPUT ! -o lo -m owner --uid-owner $USERNAME -j DROP