Hi, I wonder if there's some way to reliably keep one of my non-Admin user accounts from accessing my local network or the internet in any way? So that, when I'm logged in to that account, the network connection would refuse to do anything for me, and I would need superuser privileges to get internet or network connectivity back for that account?
For the record, I'm on 23.04.
Thank you!
There are a few ways to do that , depending on kernel/distro.
For Ubuntu-MATE the easiest way is using the firewall.
You can block network traffic based on user-id.
The terminal application to set this up is known as 'iptables'.
(Because unfortunately , the standard firewall-GUI (gufw/ufw) is, as far as I know, not advanced enough to accomplish this.)
Read the manual page because 'iptables' is very flexible and incredibly powerful, but that power is best harnessed if you know a thing or two about how it works.
This is what I found on linuxquestions.org
iptables -A OUTPUT -m owner --uid-owner 666 -j DROP
Ofcourse the '666' here should be replaced with the real user ID.
Also, this rule should be loaded every time at boot because iptable rules are not persistant. ( There are several ways to make it persistant though)
Best to read up on 'iptables' and 'ip6tables'
man ip6tables
It also might be a good idea to visit this site:
You might want to disable or uninstall 'ufw' and 'gufw' if you have it installed.
(ufw adds a bunch of extra firewall chains which could needlessly complicate the setup)
P.S. I am still wondering why ufw is so much more complicated than iptables while the name suggests otherwise.
Thank you, tkn. I think iptables and ip6tables don't work for me the way they're supposed to, though. When I type
sudo iptables -L -v
or
sudo ip6tables -L -v
I always get a report of zero bytes and zero packets for everything, no matter how much I've used the internet in the last 5 minutes.
Yes, that is correct. It only shows outputs when given firewall rules are matched.
(which you don't have yet).
This means that the fact that sudo iptables -L -v doesn't produce any output yet doesn't automatically indicate that it doesn't work.
Know that iptables (the mechanism, not the commandline command) is a fixed part of the kernel, that means it is always there on every system.
Just try to apply the rule to block the user and read up some more on iptables.
If you need more than the page with basic information that I linked above (and considering your question, you do ) , you can find an excellent, complete and very detailed manual/tutorial here:
https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html
EDIT: forgot to show how to make the rules persistant:
OK, now things get really weird and perhaps interesting.
When I use the initial command from linuxquestions.org (replacing 666 with the proper number) for both iptables and ip6tables, and then use iptables-persistent to save both the iptables and ip6tables settings (the systemd approach looks too complicated for me), and then I reboot and try to log on as the user I'm trying to keep from the internet...
...as soon as I log in, I get a completely black screen, except with a mouse cursor, and it stays that way, and I can't do anything except move the cursor.
Apparently, something in that sequence of actions cuts off the user not just from the internet, but from important parts of the local system, too.
Yes, everything that depends on network sockets is blocked for that user.
That, ofcourse, also includes everything depending on 127.x.x.x i.o.w. localhost
You could either:
or
where -o defines the name of your network interface.
the command ip addr will show you your available network interfaces
'lo' is the loopback interface which is not connected to anything outside the computer.
'enp39s0' is my wired ethernet adaptor, but yours could be named differently.
Thank you, now it works. I used the "explicitly block access to the physical ethernet connection" approach.