Does anyone know if it is possible to restrict a user to allowing access to just one website?
I need to practice some hard parenting and deny my child access to just his school website and nothing else.
iptables is a good way of controlling your input/output websites via the Ubuntu built in firewall called ufw. you can have a white list and a black list for sites allowed/disallowed.
Here is the ubuntu link --> https://help.ubuntu.com/community/UFW
The command line entry is just ufw
If however you would like a gui version to help you a little more you can install a program called gufw.
Here is the link http://www.ubuntugeek.com/gufw-simple-gui-for-ufw-uncomplicated-firewall.html
HIH
Joe
1 Like
You could add two rules to ufw. The first rule gives access to a specific website and the second rule denies all and any outgoing access. I am not entirely familiar with ufw. But this is the usual way firewalls work; they allow or reject connections based on a sequential reading of the rules list. When a rule states something that is related to the current connection attempt, that rule takes place and no more rules are read.
ufw is located under the System menu at Preferences -> Internet and Network -> Firewall Configuration. You want to click the add rule button at the bottom left corner and create your rules in the advanced tab of the dialog box that opens.
So, the first rule would be the ALLOW rule. To give access only to this Ubuntu-Mate Community website, it would be:
The second rule would be the DENY rule. And it would look like:
In the main ufw window, these two rules would look like the following:
Notes:
- The deny rule is actually made into 2 rules because it also sets IPV6 deny. Why this is not needed for the allow rule, I don't know.
- You can change the logging for each rule, but since you are denying everything except that school IP address, the log will fill considerably and it is probably not worth.
- Make sure the firewall is configured for the Home profile in the main window (just as you can see from the last screenshot above). This will allow the computer to connect to the network. Otherwise, the DENY rules would stop that from happening.
- You can also choose REJECT instead of DENY, but REJECT will result in error messages letting know the connection can't be established. It's best to let it just quietly deny the connection.
You can test this on your own computer before implementing it. Rules take place immediately and you don't need to logoff.
Only thing your child can do to avoid this is to know the sudo password.
3 Likes
I guess the only issue in a scenario like this is if the site you want to allow had a pool of IP addresses, right?
Not really, unless it’s a dynamic IP pool.
You can list the IPs using:
dig 8.8.8.8 www.school.edu
and look at the ANSWER section.
One ALLOW rule per IP should do it.
1 Like
Okay. I had completed a dig on the site (www.flvs.net) and came up with the IP address. I followed @marfig guide and found I could not browse the site.
Thoughts?
Where would this GUI, Gufw, store the config files for the firewall so that I can post them here to show what I have done?
EDIT: Never mind. Here is the config:
I just edited my post above and included a screenshot.
Can you remove rules 2 and 3, set default Outgoing Policy to “Deny” then check the logs when you try and browse the site?
PS: please confirm that when you say you can’t “Browse” the site it means you can’t display the home page.
Here is what I have configured:
I'm not seeing any logging that relates to traffic when I look at the Log tab.
Correct, when I go to www.flvs.net I am not able to access the home page/site.
Check if it works when you enter the IP address instead of www.flvs.net in the address bar.
If it does:
Please add a rule to allow all outbound traffic on port 53:
1 Like
Before adding the DNS rule I did attempt to go to the site by IP address and got this:
I proceeded to add the DNS rule anyway and was able to go to the site but it was really slow and actually browsing the site by select internal links was really slow also.
Do yo have uBlock Origin activated?
I see in my uBlock logs it’s blocking requests to a third party: zopim.com, it’s possible this is one factor slowing down the website.
(I mean: if firefox is attempting to load those pages, it would hit the firewall DENY rule and therefore hang. If uBlock intercepts the request first, then it wouldn’t hang, I think.)
I’m not familiar with uBlock Origin. Doing the Googs search shows this is a browser plugin.
By the way, I use Chrome.
Could it be any other browser plugin, like AdBlock maybe?
EDIT: I tested my theory and paused AdBlock. It did not help.
I’m not familiar with adBlock, but uBlock Origin is available for Chrome and I highly recommend it.
Edit: by the way, you should take a look at this:
You might need to add the DHCP rules if the machine does not have a static IP in your LAN.
3 Likes
Thanks for looking into this Ouromov. I wouldn’t know how to solve it.
I woke up this morning to the answers to this thread and after going through my proposed solution again, which does work for this community site and a couple others, it does indeed break on that school website. Which means my solution was too simplistic and UFW configuration is a bit more involving than I initially thought.
This was a very comprehensive post. Nice job. I’ll play around with it based on your configuration from that post.
Thanks so much for your help @ouroumov . It’s people like you and @marfig that make this community outstanding.
By your example, I will try to browse this community more to see if I can assist those that post whenever I can. This will be a difficult attempt for me since I am still learning Linux myself and have very limited knowledge and experience.
4 Likes