Is there some way to keep one of my user accounts from accessing the network?

Hi, I wonder if there's some way to reliably keep one of my non-Admin user accounts from accessing my local network or the internet in any way? So that, when I'm logged in to that account, the network connection would refuse to do anything for me, and I would need superuser privileges to get internet or network connectivity back for that account?

For the record, I'm on 23.04.

Thank you!

1 Like

There are a few ways to do that , depending on kernel/distro.

For Ubuntu-MATE the easiest way is using the firewall.
You can block network traffic based on user-id.

The terminal application to set this up is known as 'iptables'.

(Because unfortunately , the standard firewall-GUI (gufw/ufw) is, as far as I know, not advanced enough to accomplish this.)

Read the manual page because 'iptables' is very flexible and incredibly powerful, but that power is best harnessed if you know a thing or two about how it works.

This is what I found on

iptables -A OUTPUT -m owner --uid-owner 666 -j DROP

Ofcourse the '666' here should be replaced with the real user ID.
Also, this rule should be loaded every time at boot because iptable rules are not persistant. ( There are several ways to make it persistant though)

Best to read up on 'iptables' and 'ip6tables'

man ip6tables

It also might be a good idea to visit this site:

You might want to disable or uninstall 'ufw' and 'gufw' if you have it installed.
(ufw adds a bunch of extra firewall chains which could needlessly complicate the setup)

P.S. I am still wondering why ufw is so much more complicated than iptables while the name suggests otherwise.


Thank you, tkn. I think iptables and ip6tables don't work for me the way they're supposed to, though. When I type

sudo iptables -L -v


sudo ip6tables -L -v
I always get a report of zero bytes and zero packets for everything, no matter how much I've used the internet in the last 5 minutes.

Yes, that is correct. It only shows outputs when given firewall rules are matched.
(which you don't have yet).

This means that the fact that sudo iptables -L -v doesn't produce any output yet doesn't automatically indicate that it doesn't work.

Know that iptables (the mechanism, not the commandline command) is a fixed part of the kernel, that means it is always there on every system.

Just try to apply the rule to block the user and read up some more on iptables.

If you need more than the page with basic information that I linked above (and considering your question, you do ) , you can find an excellent, complete and very detailed manual/tutorial here:

EDIT: forgot to show how to make the rules persistant:


OK, now things get really weird and perhaps interesting.

When I use the initial command from (replacing 666 with the proper number) for both iptables and ip6tables, and then use iptables-persistent to save both the iptables and ip6tables settings (the systemd approach looks too complicated for me), and then I reboot and try to log on as the user I'm trying to keep from the internet... soon as I log in, I get a completely black screen, except with a mouse cursor, and it stays that way, and I can't do anything except move the cursor.

Apparently, something in that sequence of actions cuts off the user not just from the internet, but from important parts of the local system, too.

Yes, everything that depends on network sockets is blocked for that user.
That, ofcourse, also includes everything depending on 127.x.x.x i.o.w. localhost

You could either:

  1. explicitly exempt localhost from that rule by insering a rule above the rule that blocks, that allows everything for that user on 127.x.x.x
    something like: iptables -I OUTPUT 1 -d -j ACCEPT


  1. restrict this rule to a physical network interface, delete your current rule and add:
    iptables -A OUTPUT -o enp39s0 -m owner --uid-owner 666 -j DROP

where -o defines the name of your network interface.
the command ip addr will show you your available network interfaces
'lo' is the loopback interface which is not connected to anything outside the computer.
'enp39s0' is my wired ethernet adaptor, but yours could be named differently.

  1. Do some extra reading. Once you know how it works you can make it jump through hoops without breaking a sweat :slight_smile:

Thank you, now it works. I used the "explicitly block access to the physical ethernet connection" approach.