Blocking Internet traffic for specific users while allowing local traffic

rcx11 · 07-01-2021, 07:31 PM

Though I've been a linux user for over a decade, I've yet to have to truly deal with iptables. I'm trying to setup a new Raspberry Pi with iptables rules as described here in order to block my son's access to the internet but maintain access to local network resources. After installing ufw, enabling it, and applying the rules as described, I'm still able to reach the internet. What could be wrong?

MikeDeltaBrown · 07-01-2021, 11:42 PM

I'm guessing the computer you added these rules to is connecting to the internet through a gateway/modem separate from the computer your son is using.

I looked at your StackExchange reference; did you verify the following files:
/etc/group
/home/username/.local/bin/no-internet

Note that in order for this to block access, programs have to be started like the example:

Code:

no-internet "firefox"

This doesn't seem too secure to me.
To block all user's access to the internet, leave the gateway address blank. That is only used to send packets "off-network".
Another way would be to add a firewall rule:

Code:

iptables -I OUTPUT ! -d 192.168.1.0/24 -j REJECT

Change 192.168.1.0/24 to your LAN network address CIDR.

rcx11 · 07-01-2021, 11:51 PM

This is being performed on the same machine. I'm using my account to set the rules, and then switching to his account to see if the changes took effect. Files were verified.

Code:

$ cat /etc/group
...
son:x:1001:
no-internet:x:1002:son
$ sudo cat /home/son/.local/bin/no-internet
#!/bin/bash
exec sg no-internet "$@"
$ sudo ls -l /home/son/.local/bin
total 4
-rwxr-xr-x 1 son son 37 Jul  1 18:21 no-internet

MikeDeltaBrown · 07-02-2021, 12:41 AM

I think the problem is the wrapper script isn't being called. As an example, try these two commands (or just think about them):

1) ping 8.8.8.8

2) no-internet "ping 8.8.8.8"

(1) should work, (2) should not.... assuming everything else is right.

One more thing to check;

Code:

echo $PATH

and make sure "/home/son/.local/bin/" is at the beginning.

rcx11 · 07-02-2021, 10:00 AM

I did check the PATH, and /home/son/.local/bin is at the beginning. (1) did return successful pings. (2) returned "Operation not permitted". However, opening Chromium, I was able to successfully browse the internet, which is what I'm trying to deny. My son will not be opening a terminal to start his programs.

MikeDeltaBrown · 07-02-2021, 10:56 PM

So the method works as advertised. The problem is that you'd have to write wrapper scripts for every program that your son may run. Ugh! That's alot of work. Probably just easier to remove the default route (mentioned in the middle of my first post.

rcx11 · 07-04-2021, 04:42 PM

Is there another method that you know that would achieve the same effect? I want to allow network resource access while blocking internet access on a per-user basis.