full networking for console user, limited networking for remotely logged in user

Hello

I need to setup a lab. such that the users logged on to console have
full access of lan and internet but, users remotely logging(via
telnet/ssh) into the lab servers would be allowed only to access lan(
i.e. others servers in lab only) and would not be granted access to
network outside of lab, i.e. to internet.
I would use RedHat 9.0.

So how to go about doing this ???

[followup-to set]
In article <(E-Mail Removed)> , RJ41 wrote:
> I need to setup a lab. such that the users logged on to console have
> full access of lan and internet but, users remotely logging(via
> telnet/ssh) into the lab servers would be allowed only to access lan(

See the iptables "owner" match extension ("man iptables"). If you have a
fixed list of authorised and unauthorised users, this will be easy:
simply assign the remote users to a single group, and use -m owner to
block that GID.

I'm not sure how pid-owner and sid-owner work, but those might make it
even easier, if they can exclude any process started under sshd or
telnetd. Perhaps someone else will know?

If users might alternate between console and remote logins, this would
be more complicated and possibly weak. You could use the shell to set
the effective GID when logging in. That of course opens up a lot of
other shell issues.

> I would use RedHat 9.0.

Note that Red Hat by default puts all new user accounts in per-user
unique groups. You might have to override this default (and change any
accounts which already exist.)
--
/dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
or put "not-spam" or "/dev/rob0" in Subject header to reply

/dev/rob0 wrote:
>
> [followup-to set]
> In article <(E-Mail Removed)> , RJ41 wrote:
> > I need to setup a lab. such that the users logged on to console have
> > full access of lan and internet but, users remotely logging(via
> > telnet/ssh) into the lab servers would be allowed only to access lan(
>
> See the iptables "owner" match extension ("man iptables"). If you have a
> fixed list of authorised and unauthorised users, this will be easy:
> simply assign the remote users to a single group, and use -m owner to
> block that GID.
>
> I'm not sure how pid-owner and sid-owner work, but those might make it
> even easier, if they can exclude any process started under sshd or
> telnetd. Perhaps someone else will know?
>
> If users might alternate between console and remote logins, this would
> be more complicated and possibly weak. You could use the shell to set
> the effective GID when logging in. That of course opens up a lot of
> other shell issues.
>
> > I would use RedHat 9.0.
>
> Note that Red Hat by default puts all new user accounts in per-user
> unique groups. You might have to override this default (and change any
> accounts which already exist.)

Users may belong to more than one group.

In article <(E-Mail Removed)>, Joe Beanfish wrote:
> /dev/rob0 wrote:
>> simply assign the remote users to a single group, and use -m owner to
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> block that GID.
>> [snip IRRELEVANT quoted material]

>> Note that Red Hat by default puts all new user accounts in per-user
>> unique groups. You might have to override this default (and change any
>> accounts which already exist.)
>
> Users may belong to more than one group.

Why yes, that is true, and I am aware of that. I am also aware how a
user can change his/her effective GID to any of those groups. That is
why I suggested using a SINGLE collective group.

BTW iptables can also filter based upon more than one GID. But I didn't
suggest that because it would be complex and difficult to maintain. The
filtering could be inverse: the list of GID's could be used for allowing
or for denying access.
--
/dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
or put "not-spam" or "/dev/rob0" in Subject header to reply