How to limit internet access "by account"

Is there some way, on a linux box, to restrict internet access of one
user, to only certain ports and certain websites? Any thoughts? This
is a kid issue. I am not afraid of viruses, but more of objectionable
content. Even that does not bother me too much, but i WANT TO start
with having control.

i

I want to be clear: I want user "joeblow" to have unrestricted access,
and user "jimmy" to have restricted access. This is NOT about doing
per-machine control. It is about per-user control.

If that helps, the kid's linux box in question is on a private subnet
behind a Linux based firewall. Fedora 7.

i

On 2007-10-17, Ignoramus1841 <(E-Mail Removed)> wrote:
> Is there some way, on a linux box, to restrict internet access of one
> user, to only certain ports and certain websites? Any thoughts? This
> is a kid issue. I am not afraid of viruses, but more of objectionable
> content. Even that does not bother me too much, but i WANT TO start
> with having control.
>
> i

Ignoramus1841 wrote:
> I want to be clear: I want user "joeblow" to have unrestricted access,
> and user "jimmy" to have restricted access. This is NOT about doing
> per-machine control. It is about per-user control.
>
> If that helps, the kid's linux box in question is on a private subnet
> behind a Linux based firewall. Fedora 7.
>
> i
>
> On 2007-10-17, Ignoramus1841 <(E-Mail Removed)> wrote:
>> Is there some way, on a linux box, to restrict internet access of one
>> user, to only certain ports and certain websites? Any thoughts? This
>> is a kid issue. I am not afraid of viruses, but more of objectionable
>> content. Even that does not bother me too much, but i WANT TO start
>> with having control.
>>
>> i

I do something like that. I have a main machine that connects direct to the
Internet. It runs a _iptables_ firewall. My other machine runs either Linux
or Windows XP. I told the other machine, when running Linux, that its IP
address was 192.168.1.202 and I told the other machine, when running Windows
XP that its IP address was 192.168.1.2. Then my firewall thought it was
dealing with two machines on the same network. One (the Linux one) has
rather lax firewall. But with the one running Windows, it will accept no
incoming messages that are not replies to messages it sent. It will allow no
outgoing messages except to specified IP addresses (blocks of those
addresses, actually, in my case) and ports (only port 80 and 443 in my
case). Of course you could customize your own differently.

--
.~. Jean-David Beyer Registered Linux User 85642.
/V\ PGP-Key: 9A2FC99A Registered Machine 241939.
/( )\ Shrewsbury, New Jersey http://counter.li.org
^^-^^ 21:50:01 up 10 days, 5:26, 2 users, load average: 4.02, 4.10, 4.10

On 2007-10-17, Jean-David Beyer <(E-Mail Removed)> wrote:
> Ignoramus1841 wrote:
>> I want to be clear: I want user "joeblow" to have unrestricted access,
>> and user "jimmy" to have restricted access. This is NOT about doing
>> per-machine control. It is about per-user control.
>>
>> If that helps, the kid's linux box in question is on a private subnet
>> behind a Linux based firewall. Fedora 7.
>>
>> i
>>
>> On 2007-10-17, Ignoramus1841 <(E-Mail Removed)> wrote:
>>> Is there some way, on a linux box, to restrict internet access of one
>>> user, to only certain ports and certain websites? Any thoughts? This
>>> is a kid issue. I am not afraid of viruses, but more of objectionable
>>> content. Even that does not bother me too much, but i WANT TO start
>>> with having control.
>>>
>>> i
>
> I do something like that. I have a main machine that connects direct to the
> Internet. It runs a _iptables_ firewall. My other machine runs either Linux
> or Windows XP. I told the other machine, when running Linux, that its IP
> address was 192.168.1.202 and I told the other machine, when running Windows
> XP that its IP address was 192.168.1.2. Then my firewall thought it was
> dealing with two machines on the same network. One (the Linux one) has
> rather lax firewall. But with the one running Windows, it will accept no
> incoming messages that are not replies to messages it sent. It will allow no
> outgoing messages except to specified IP addresses (blocks of those
> addresses, actually, in my case) and ports (only port 80 and 443 in my
> case). Of course you could customize your own differently.

Did I understand correctly that the OP wanted two different
_accounts_ on the same host to have different web access
abilities? If so, wouldn't a squid proxy be a more relevant
solution?

The difficult part, assuming the proxy is on a separate
physical machine from the one the kids are using, is how to
tell the proxy which account is in use. If squid can be
configured to require a login and password to get through
it, that might work.

It might also work to set up a background process on the
kids' machine to modify iptables rules based on which user
is logged in.

--
Robert Riches
(E-Mail Removed)
(Yes, that is one of my email addresses.)

On 2007-10-17, Jean-David Beyer <(E-Mail Removed)> wrote:
> Ignoramus1841 wrote:
>> I want to be clear: I want user "joeblow" to have unrestricted access,
>> and user "jimmy" to have restricted access. This is NOT about doing
>> per-machine control. It is about per-user control.
>>
>> If that helps, the kid's linux box in question is on a private subnet
>> behind a Linux based firewall. Fedora 7.
>>
>> i
>>
>> On 2007-10-17, Ignoramus1841 <(E-Mail Removed)> wrote:
>>> Is there some way, on a linux box, to restrict internet access of one
>>> user, to only certain ports and certain websites? Any thoughts? This
>>> is a kid issue. I am not afraid of viruses, but more of objectionable
>>> content. Even that does not bother me too much, but i WANT TO start
>>> with having control.
>>>
>>> i
>
> I do something like that. I have a main machine that connects direct to the
> Internet. It runs a _iptables_ firewall. My other machine runs either Linux
> or Windows XP. I told the other machine, when running Linux, that its IP
> address was 192.168.1.202 and I told the other machine, when running Windows
> XP that its IP address was 192.168.1.2. Then my firewall thought it was
> dealing with two machines on the same network. One (the Linux one) has
> rather lax firewall. But with the one running Windows, it will accept no
> incoming messages that are not replies to messages it sent. It will allow no
> outgoing messages except to specified IP addresses (blocks of those
> addresses, actually, in my case) and ports (only port 80 and 443 in my
> case). Of course you could customize your own differently.
>

That does not allow per-account control, unfortunately.

i

On 2007-10-17, Robert M. Riches Jr. <(E-Mail Removed)> wrote:
> On 2007-10-17, Jean-David Beyer <(E-Mail Removed)> wrote:
>> Ignoramus1841 wrote:
>>> I want to be clear: I want user "joeblow" to have unrestricted access,
>>> and user "jimmy" to have restricted access. This is NOT about doing
>>> per-machine control. It is about per-user control.
>>>
>>> If that helps, the kid's linux box in question is on a private subnet
>>> behind a Linux based firewall. Fedora 7.
>>>
>>> i
>>>
>>> On 2007-10-17, Ignoramus1841 <(E-Mail Removed)> wrote:
>>>> Is there some way, on a linux box, to restrict internet access of one
>>>> user, to only certain ports and certain websites? Any thoughts? This
>>>> is a kid issue. I am not afraid of viruses, but more of objectionable
>>>> content. Even that does not bother me too much, but i WANT TO start
>>>> with having control.
>>>>
>>>> i
>>
>> I do something like that. I have a main machine that connects direct to the
>> Internet. It runs a _iptables_ firewall. My other machine runs either Linux
>> or Windows XP. I told the other machine, when running Linux, that its IP
>> address was 192.168.1.202 and I told the other machine, when running Windows
>> XP that its IP address was 192.168.1.2. Then my firewall thought it was
>> dealing with two machines on the same network. One (the Linux one) has
>> rather lax firewall. But with the one running Windows, it will accept no
>> incoming messages that are not replies to messages it sent. It will allow no
>> outgoing messages except to specified IP addresses (blocks of those
>> addresses, actually, in my case) and ports (only port 80 and 443 in my
>> case). Of course you could customize your own differently.
>
> Did I understand correctly that the OP wanted two different
> _accounts_ on the same host to have different web access
> abilities? If so, wouldn't a squid proxy be a more relevant
> solution?

Well, yeah, maybe! I have not thought about squid, but I am totally
open, can you tell me more?

> The difficult part, assuming the proxy is on a separate
> physical machine from the one the kids are using, is how to
> tell the proxy which account is in use. If squid can be
> configured to require a login and password to get through
> it, that might work.
>
> It might also work to set up a background process on the kids'
> machine to modify iptables rules based on which user is logged in.

That's a possibility too, kind of ugly but it can work with a bit of
scripting.

i

On 2007-10-17, Robert M. Riches Jr. <(E-Mail Removed)> wrote:

>>> On 2007-10-17, Ignoramus1841 <(E-Mail Removed)> wrote:
>>>> Is there some way, on a linux box, to restrict internet access of one
>>>> user, to only certain ports and certain websites? Any thoughts? This
>>>> is a kid issue. I am not afraid of viruses, but more of objectionable
>>>> content. Even that does not bother me too much, but i WANT TO start
>>>> with having control.
>>
>> I do something like that. I have a main machine that connects direct to the
>> Internet. It runs a _iptables_ firewall. My other machine runs either Linux
>> or Windows XP. I told the other machine, when running Linux, that its IP
>> address was 192.168.1.202 and I told the other machine, when running Windows
>> XP that its IP address was 192.168.1.2. Then my firewall thought it was
>> dealing with two machines on the same network. One (the Linux one) has
>> rather lax firewall. But with the one running Windows, it will accept no
>> incoming messages that are not replies to messages it sent. It will allow no
>> outgoing messages except to specified IP addresses (blocks of those
>> addresses, actually, in my case) and ports (only port 80 and 443 in my
>> case). Of course you could customize your own differently.

The OP wants restrictions on an individual user, not on an
entire machine/IP-address.

> Did I understand correctly that the OP wanted two different
> _accounts_ on the same host to have different web access
> abilities?

Yes. Placing restrictions on an IP address basis won't do what
the OP wants to do.

> If so, wouldn't a squid proxy be a more relevant solution?
>
> The difficult part, assuming the proxy is on a separate
> physical machine from the one the kids are using, is how to
> tell the proxy which account is in use. If squid can be
> configured to require a login and password to get through it,
> that might work.

Configure the kid's browser to use the proxy, and the other
user's browser not to. Then lock down the kid's browser
config.

> It might also work to set up a background process on the
> kids' machine to modify iptables rules based on which user
> is logged in.

What if both are?

--
Grant Edwards grante Yow! I'm not an
at Iranian!! I voted for
visi.com Dianne Feinstein!!

Robert M. Riches Jr. <(E-Mail Removed)> did eloquently scribble:
> Did I understand correctly that the OP wanted two different
> _accounts_ on the same host to have different web access
> abilities? If so, wouldn't a squid proxy be a more relevant
> solution?

That might deal with http requests...
But what about the rest? The internet is a lot larger than the web.

Is there a UID field in packets that could be filtered on? Or even a PID?
--
__________________________________________________ ____________________________
| (E-Mail Removed) | |
|Andrew Halliwell BSc(hons)| "ARSE! GERLS!! DRINK! DRINK! DRINK!!!" |
| in | "THAT WOULD BE AN ECUMENICAL MATTER!...FECK!!!! |
| Computer Science | - Father Jack in "Father Ted" |
------------------------------------------------------------------------------

Ignoramus1841 <(E-Mail Removed)> did eloquently scribble:
>> It might also work to set up a background process on the kids'
>> machine to modify iptables rules based on which user is logged in.

> That's a possibility too, kind of ugly but it can work with a bit of
> scripting.

What if more than one person's logged in?

--
__________________________________________________ ____________________________
| (E-Mail Removed) | |
|Andrew Halliwell BSc(hons)| "The day Microsoft makes something that doesn't |
| in | suck is probably the day they start making |
| Computer science | vacuum cleaners" - Ernst Jan Plugge |
------------------------------------------------------------------------------

Grant Edwards wrote:
> On 2007-10-17, Robert M. Riches Jr. <(E-Mail Removed)> wrote:
>
>>>> On 2007-10-17, Ignoramus1841 <(E-Mail Removed)> wrote:
>>>>> Is there some way, on a linux box, to restrict internet access of one
>>>>> user, to only certain ports and certain websites? Any thoughts? This
>>>>> is a kid issue. I am not afraid of viruses, but more of objectionable
>>>>> content. Even that does not bother me too much, but i WANT TO start
>>>>> with having control.
>>> I do something like that. I have a main machine that connects direct to the
>>> Internet. It runs a _iptables_ firewall. My other machine runs either Linux
>>> or Windows XP. I told the other machine, when running Linux, that its IP
>>> address was 192.168.1.202 and I told the other machine, when running Windows
>>> XP that its IP address was 192.168.1.2. Then my firewall thought it was
>>> dealing with two machines on the same network. One (the Linux one) has
>>> rather lax firewall. But with the one running Windows, it will accept no
>>> incoming messages that are not replies to messages it sent. It will allow no
>>> outgoing messages except to specified IP addresses (blocks of those
>>> addresses, actually, in my case) and ports (only port 80 and 443 in my
>>> case). Of course you could customize your own differently.
>
> The OP wants restrictions on an individual user, not on an
> entire machine/IP-address.

In his second message, the OP said:

"I want to be clear: I want user "joeblow" to have unrestricted access,
and user "jimmy" to have restricted access. This is NOT about doing
per-machine control. It is about per-user control.

"If that helps, the kid's linux box in question is on a private subnet
behind a Linux based firewall. Fedora 7."

This is why I suggested setting the firewall of the Linux machine to protect
"the kid's linux box in question is on a private subnet behind a Linux based
firewall." I thought he meant that "joeblow" was on the Linux machine.
>
>> Did I understand correctly that the OP wanted two different
>> _accounts_ on the same host to have different web access
>> abilities?
>
> Yes. Placing restrictions on an IP address basis won't do what
> the OP wants to do.
>
>> If so, wouldn't a squid proxy be a more relevant solution?
>>
>> The difficult part, assuming the proxy is on a separate
>> physical machine from the one the kids are using, is how to
>> tell the proxy which account is in use. If squid can be
>> configured to require a login and password to get through it,
>> that might work.
>
> Configure the kid's browser to use the proxy, and the other
> user's browser not to. Then lock down the kid's browser
> config.
>
>> It might also work to set up a background process on the
>> kids' machine to modify iptables rules based on which user
>> is logged in.
>
> What if both are?
>


--
.~. Jean-David Beyer Registered Linux User 85642.
/V\ PGP-Key: 9A2FC99A Registered Machine 241939.
/( )\ Shrewsbury, New Jersey http://counter.li.org
^^-^^ 06:55:01 up 10 days, 14:31, 0 users, load average: 4.01, 4.05, 4.04