Can I deny a user access to the Internet?
The user will be able to log in my Linux box, but must not have access to
the outside Internet.
I use a direct ppp connection to my ISP.
Is this simple or very complex?
Thanks.
by Fernando Piaz » Fri, 14 Mar 1997 04:00:00
Can I deny a user access to the Internet?
The user will be able to log in my Linux box, but must not have access to
the outside Internet.
I use a direct ppp connection to my ISP.
Is this simple or very complex?
Thanks.
by Chri » Sun, 16 Mar 1997 04:00:00
> Can I deny a user access to the Internet?
> The user will be able to log in my Linux box, but must not have access to
> the outside Internet.
> I use a direct ppp connection to my ISP.
> Is this simple or very complex?
> Thanks.
Then change the perms on the Internet programs (telnet,
ftp, rlogin, etc) so that they're owner and group
executable, but not other user executable (750 I think) and
do chgrp on the Internet commands you want to block so that
they're in group 'special' or whatever...
Um, email with questions if you need.
--
....... The free UNIX operating
system
Chris Harshman `:::' .......
......
XCC System Administrator ::: * `::. ::'
http://paradigm.uor.edu/harshman ::: :: :: :: :: :: :::.
909.307.7692 ::: .::. .:: ::. `::::. .:' ::.
..:::.....................::'
.::::.
"Linux - the OS people choose without $200,000,000 in persuasion."
UNIX is user-friendly. It's just selective about who its friends are.
by Paul Dwerryhou » Tue, 18 Mar 1997 04:00:00
>> The user will be able to log in my Linux box, but must not have access to
>> the outside Internet.
>Should be fairly easy. Anyone you want to be able to use the internet,
>put in one group ('special') and leave everyone else as group 'users' or
>whatever.
>Then change the perms on the Internet programs (telnet,
>ftp, rlogin, etc) so that they're owner and group
>executable, but not other user executable (750 I think) and
>do chgrp on the Internet commands you want to block so that
>they're in group 'special' or whatever...
-rwxr-xr-x 1 root bin 66525 Dec 6 1995 /bin/telnet*
Since telnet does not need to be suid root to work, users own compiled
versions would work, too.
To truly block the box off from the Internet, the ISP would need to put
packet filters on its router, saying just where the box is allowed to access
and where it isn't. Very easy to do if the router is a Cisco, probably also
easy if it's a Linux box routing, but I've never played with Linux packet
filtering.
Of course, this has the disadvantage that the whole machine is blocked off
from the net, not just on a user by user basis. Better have a administrator
only machine on hand, too ;)
Cheers,
Paul.
--
"The growing use of e-mail, not to mention Web-page publishing, threatens to
reverse the trend towards illiteracy among the supposedly educated without at
the same time improving their spelling". -- Michael Swaine, Dr. Dobb's Journal
by B.A.McCau.. » Wed, 19 Mar 1997 04:00:00
If they can do normal things (like execute programs they have written)Quote:> The user will be able to log in my Linux box, but must not have access to
>the outside Internet.
--
. _\\__[oo from | Phones: +44 121 471 3789 (home)
. l___\\ /~~) /~~[ / [ | PGP-fp: D7 03 2A 4B D8 3A 05 37...
# ll l\\ ~~~~ ~ ~ ~ ~ | http://wcl-l.bham.ac.uk/~bam/
by John Den » Wed, 19 Mar 1997 04:00:00
> > Can I deny a user access to the Internet?
> No.
Perhaps chroot would work... that would run with the problem of
keeping two separate root filesystems up to date though.
denty.
by Colin Beckman » Wed, 19 Mar 1997 04:00:00
Since I upgraded to the 2.0.x kernel PPP does not setup my default route
when a connection is made. I am using the following command.
exec "/usr/sbin/pppd defaultroute noipdefault lock crtscts
mru 296 mtu 296 /dev/ttyS1 38400"
netstat -nr gives me
Kernel routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.1.6.235 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.1.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 1 lo
0.0.0.0 0.0.0.0 0.0.0.0 U 1 0 0 eth0
Am I doing something wrong, this is the same command I used in
earlier versions.
Suggestions are welcome,
Thanks
--
Colin Beckmann
by B.A.McCau.. » Thu, 27 Mar 1997 04:00:00
>netstat -nr gives me
>Kernel routing table
>Destination Gateway Genmask Flags Metric Ref Use Iface
>192.1.6.235 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
>192.1.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
>127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 1 lo
>0.0.0.0 0.0.0.0 0.0.0.0 U 1 0 0 eth0
>Am I doing something wrong, this is the same command I used in
>earlier versions.
BTW: Has 192.1.x.x been officially been allocated to you by InterNIC?
If not then you should not use it! See RFC1597 (or the HOWTOs) for
addresses to use.
--
. _\\__[oo from | Phones: +44 121 471 3789 (home)
. l___\\ /~~) /~~[ / [ | PGP-fp: D7 03 2A 4B D8 3A 05 37...
# ll l\\ ~~~~ ~ ~ ~ ~ | http://wcl-l.bham.ac.uk/~bam/
1. denying access to the Internet with iptables
Why can I still connect to www from a local network, although I have
inserted the below chain?
iptables -A INPUT -p tcp -s ! 192.168.1.1 -d ! 192.168.1.1 --dport 80 -j
REJECT (I've also tried DROP here).
-- T.
2. How to get around RPC registration bug
3. IPtables - how to deny access from the Internet
4. EtherExpress PRO/10 PCI + kernel 2.4.x, which driver?
5. cron job for deny/allow masq'ed internet access
6. Group purchase of Actix boards?
7. denying a single internal host access to the internet
8. Is there any news archie for this newsgroup?
9. How to deny access to the internet for ppp dialin?
10. How to allow/deny Internet access to Windows for Workgroups clients?
11. Free Internet denied to Linux users
12. FTP, 530 User joe access denied...
13. Q: why does ftp say "530 user akelly access denied..."