I setup a guest account for the kids to play with, but didn’t want them getting into trouble surfing the web, unattended. So using iptables, I am able to drop any of those outbound packets destined for the internet. I added this as a custom rule to SuSEfirewall2 to make it stick, but this does make it kind of permanent. I could make it a script to turn on/off, but then I don’t have to remember since those kids can learn quick how to thwart me =)!
== modify /etc/sysconfig/scripts/SuSEfirewall2-custom
insert into the hook function: fw_custom_after_chain_creation()
before ‘true’ (important to keep ‘true’ at end of the function)
iptables -A OUTPUT -m owner --uid-owner guest ! -d 192.168.0.0/16 -j DROP
To explain whats going on, so you can modify for your own uses:
this appends (-A) the rule to the OUTPUT chain, and
for an outgoing packet matches the following properties
-m owner --uid-owner guest : this matches on uid/username of ‘guest’
! -d 192.168.0.0/16 : with the “!” this inverses the match on the subnet 192.168.0.0/16 my internal net
so the guest account can still access my LAN resources but deadends the rest.
=) HRC