Hi, I wonder if there's some way to reliably keep one of my non-Admin user accounts from accessing my local network or the internet in any way? So that, when I'm logged in to that account, the network connection would refuse to do anything for me, and I would need superuser privileges to get internet or network connectivity back for that account?
There are a few ways to do that , depending on kernel/distro.
For Ubuntu-MATE the easiest way is using the firewall.
You can block network traffic based on user-id.
The terminal application to set this up is known as 'iptables'.
(Because unfortunately , the standard firewall-GUI (gufw/ufw) is, as far as I know, not advanced enough to accomplish this.)
Read the manual page because 'iptables' is very flexible and incredibly powerful, but that power is best harnessed if you know a thing or two about how it works.
iptables -A OUTPUT -m owner --uid-owner 666 -j DROP
Ofcourse the '666' here should be replaced with the real user ID.
Also, this rule should be loaded every time at boot because iptable rules are not persistant. ( There are several ways to make it persistant though)
Best to read up on 'iptables' and 'ip6tables'
man ip6tables
It also might be a good idea to visit this site:
You might want to disable or uninstall 'ufw' and 'gufw' if you have it installed.
(ufw adds a bunch of extra firewall chains which could needlessly complicate the setup)
P.S. I am still wondering why ufw is so much more complicated than iptables while the name suggests otherwise.
Thank you, tkn. I think iptables and ip6tables don't work for me the way they're supposed to, though. When I type
sudo iptables -L -v
or
sudo ip6tables -L -v
I always get a report of zero bytes and zero packets for everything, no matter how much I've used the internet in the last 5 minutes.
OK, now things get really weird and perhaps interesting.
When I use the initial command from linuxquestions.org (replacing 666 with the proper number) for both iptables and ip6tables, and then use iptables-persistent to save both the iptables and ip6tables settings (the systemd approach looks too complicated for me), and then I reboot and try to log on as the user I'm trying to keep from the internet...
...as soon as I log in, I get a completely black screen, except with a mouse cursor, and it stays that way, and I can't do anything except move the cursor.
Apparently, something in that sequence of actions cuts off the user not just from the internet, but from important parts of the local system, too.
Yes, everything that depends on network sockets is blocked for that user. That, ofcourse, also includes everything depending on 127.x.x.x i.o.w. localhost
You could either:
explicitly exempt localhost from that rule by insering a rule above the rule that blocks, that allows everything for that user on 127.x.x.x
something like: iptables -I OUTPUT 1 -d 127.0.0.0/255.0.0.0 -j ACCEPT
or
restrict this rule to a physical network interface, delete your current rule and add:
iptables -A OUTPUT -o enp39s0 -m owner --uid-owner 666 -j DROP
where -o defines the name of your network interface.
the command ip addr will show you your available network interfaces
'lo' is the loopback interface which is not connected to anything outside the computer.
'enp39s0' is my wired ethernet adaptor, but yours could be named differently.
Do some extra reading. Once you know how it works you can make it jump through hoops without breaking a sweat