Hi, Im looking for any ideas to block internet on server with multiaccess.
Some users may use only openoffice and thunderbird local on server without access to WAN but others at the same time must have full access.
Have a look at /etc/sysconfig/scripts/SuSEfirewall2-custom and enable it in
/sbin/SuSEfirewall2. Then add your rules to fw_custom_before_port_handling(). This may look similar to:
BLOCKED_IP_NUMBERS=$(cat /etc/sysconfig/scripts/drop-these-ip-numbers \
| sed -e "/^#/ d" -e "s/ *#.*//")
for BLOCKED in $BLOCKED_IP_NUMBERS ; do
iptables -A forward_int -s $BLOCKED -p tcp -j DROP
done
Then you create a file named drop-these-ip-numbers within the scripts directory containing the IP numbers (one per line) of all hosts within the LAN which are not allowed to connect to the WAN. Note: this is not ‘per user’ but blocks some hosts within the LAN.
When messing around with this please remember to keep copies of the original files.
Welcome to these forums.
I am a bit confused here. Can you please explain a bit more. With the word "server’ you use here, do just mean “the system” where the users are loged in, or do you have your users loged in in workstation systems, using that “server” as “some server” (and when yes, what server).
Also, as we have no crystal balls, it is never bad to tell what openSUSE level and what desktop (KDE, Gnome, etc) you are using.
So lets start from begin 
there are two situations, now and future
Now:
Server - Gentoo GNU/Linux
End User - LTSP from Gentoo so X-system working directly on Gentoo Server
KDE3.5
Future:
Server - Sles 10SP3 x64 + GW8
End User - hmm maybe LTSP
Now I’m recognizing my options. There is LTSP for openSuse or SLED ThinClient but now I have problems with my gentoo server so I’m asking for a help
Problem is that everyone have the same ip address becouse there are working on the same server, since i have update iptables and kernel my iptables rules have changed and “iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner …” stop working! 
pawelkaroluk wrote:
> Future:
> Server - Sles 10SP3 x64 + GW8
this is the openSUSE forum…
SLES is a commercial product distributed and supported by Novell and
supported by them…a good place to ask your question is therefore:
forums.novell.com
but, you are welcome to hang out here to see if someone has an answer
for you…
–
DenverD (Linux Counter 282315)
CAVEAT: http://is.gd/bpoMD
posted via NNTP w/TBird 2.0.0.23 | KDE 3.5.7 | openSUSE 10.3
2.6.22.19-0.4-default SMP i686
AMD Athlon 1 GB RAM | GeForce FX 5500 | ASRock K8Upgrade-760GX |
CMedia 9761 AC’97 Audio
Linux is Linux especially that sles is opensuse older a year…
There are two problems:
- How to block ex. firefox for user x and allow for user y
- How to block Internet user x and allow for user y on the same machine
Of course I will ask at sles forum but I’m asking you like specials and any advice is welcome. Thans for everything
When you have 2, I suppose you do not need 1. Except when you also want to restrict FF on local files.
And when you can get 1 but not 2, why is then Konqueror allowed, but FF not?
When you mean Internet, you mean that the LAN (and other internal networks if they exist) is allowed, but that the router to the Internet may not be traversed?
I almost dare not say, but the above gives me the feeling that your specs are a bit hazy. I hope I am wrong.
Internet = Any / ((192.168.111.0/24) & (mail server = 192.168.100.1/32))
WAN - Router (mail server also) (192.168.100.1) - Server (192.168.100.100) / (192.168.111.1) - End user (192.168.111.0/24)
AD1. I have changed /usr/bin/firefox from 755 root:root to 754 root:internet where user y is in internet group
It’s only temporary but give me some time
AD2. my old iptables config
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner baneduser -j DROP
iptables -I FORWARD -i ${LAN} -d ${LAN_IP} -j DROP
iptables -A FORWARD -i ${LAN} -s ${LAN_IP} -j ACCEPT
iptables -A FORWARD -i ${WAN} -d ${LAN_IP} -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
It is a bit more clear to me now (and hopefully also to others), but I still fail to understand the special case for FF. Why may everybody use all browsers except FF? Just curious.
I am not sure if the proxy settings are system wide settings or a setting per user. In case of the latter you could force a user which is not supposed to access the internet to use a fake proxy. That way all traffic for the internet would be sent to that proxy and because it is fake, it will of course not answer to the request.
When something is a user setting, it can be set by the user. Thus you are shifting the problem to blocking the user from setting (some of) her/his settings. Else she/he would laugh at you.
I can be quite funny sometimes 
It should be a perfectly possible to lock down the desktop to prohibit the user from changing this, but that might be a little off-topic for this thread.
You may be right, but as long as I do not understand why the OP wants to block what in/with FF I refrain from practical solutions.
I may point to you that he has allready the requirement to block Internet usage for certain users. As that would include blocking the user from using FF on the Internet, I see no solution in your hint, because it will block what is allready blocked.
As the OP specificlly mentions that he want to block FF usage (extra to the Internet blocking for all programs) I assume that he also wants to block FF to go to the LAN, the localhost and even local files (where no network is involved at all). It seems that he wants a “program not found” when such a user calls FF.
I allready pointed out that there are many other browser intalled or installable on the system (or even in user space) and I do not understand why those are alowed.
Thus I am not realy interested in solution as yours (but I admire the idea as such) before I know where to find a solution for. Also with respect to your idea, as FF is not that integrated in KDE, I doubt if that configuration blocking would have anything to do with KDE. Only look at the place of the respective locations: KDE in* ~/.kde4* and FF inside* ~/mozilla*.