Hello, Philip a écrit : > > Is there an easy way to set up different rules for different users of a > desktop machine? > I have a small home network with different PCs for different purposes. > There is a general purpose Lenny desktop that the whole family uses. > It has a private IP address. > This can get to the Internet either through NAT on a FreeBSD firewall, or > through a Dansguardian > proxy, currently running on a different Etch box. Eventually I plan to > migrate dansguardian onto the > freebsd box. > > Is there an easy way that if I or another adult is logged in then we can get > to the NAT box, but if > one of my (small) children are logged in then the only way out is through the > proxy?
iptables can match locally generated packets by the sender process user or group ID. See the 'owner' match. E.g. for HTTP traffic : iptables -t nat -A OUTPUT -p tcp --dport 80 \ -m owner --gid-owner $children -j DNAT --to $proxy_address:$proxy_port Note that the proxy must work in transparent mode, and this may not work with programs that run SUID/SGID, as iptables sees only the effective ID. Also, HTTPS does not work with a transparent proxy. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
