That sounds good. I don't need to transparently proxy, because I have configured the dansguardian proxy into the browser that the children use. So a group for adults that allows port 80 and 443 would work. I just need to block packets except 8080 to the proxy.
I guess a default of deny all and then allow --gid-owner $adults (all ports) and another allow 8080 for all users. I'm not sure of the iptables syntax though (I'm more used to pf) thanks, Philip Pascal Hambourg wrote: > Hello, > > Philip a écrit : >> Is there an easy way to set up different rules for different users of a >> desktop machine? >> I have a small home network with different PCs for different purposes. >> There is a general purpose Lenny desktop that the whole family uses. >> It has a private IP address. >> This can get to the Internet either through NAT on a FreeBSD firewall, or >> through a Dansguardian >> proxy, currently running on a different Etch box. Eventually I plan to >> migrate dansguardian onto the >> freebsd box. >> >> Is there an easy way that if I or another adult is logged in then we can get >> to the NAT box, but if >> one of my (small) children are logged in then the only way out is through >> the proxy? > > iptables can match locally generated packets by the sender process user > or group ID. See the 'owner' match. > > E.g. for HTTP traffic : > > iptables -t nat -A OUTPUT -p tcp --dport 80 \ > -m owner --gid-owner $children -j DNAT --to $proxy_address:$proxy_port > > Note that the proxy must work in transparent mode, and this may not work > with programs that run SUID/SGID, as iptables sees only the effective > ID. Also, HTTPS does not work with a transparent proxy. > > -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
