At 22:21 28/09/00 +0200, Johannes Kloos wrote:
>On Thu, Sep 28, 2000 at 11:33:30PM +0500, Abdul Basit wrote:
> > Hey
> > Is it possible to do user based packet filtering in *nix ?
> > say i need to allow telnet access to all but i want to block port
> > 80(outbound) to some users
> > while allowing others ?
> >
> > something like packet filter checks first checks uid and then apply the
> > exiting rule ?
>
>netfilter (aka iptables) on linux includes "owner matching", so you may say:
>
>iptables -A output -p tcp --dport 80 --uid-owner luser -j REJECT
>
>AFAIK, there are patches against Linux 2.2 for netfilter. Linux 2.4 supports
>it natively, but is IMHO not sufficiently stable.
As far as I can guess, the uid here is that of the calling socket, which only
exists for locally generated packets. there's no uid in IP packets traversing
the gateway :)
one way would be to allocate IP addresses based on user identity. yet,
there is no
"standard" solution, but the worst here is that this assumes mono-user hosts.
a second way would be to implement user authentication in IP filtering
engines.
once again, this is not an easy problem which explains the fact that this
is not
widespread.
a reasonable solution is to use a web proxy that supports authentication.
squid is an
example.
you can install the proxy on a specific host and configure your gateway to
refuse web
access unless it comes from this host. (make sure the guys do not have
accounts on this
host and that the only way to get out of it is to be authenticated by the
proxy).
then tell your users to use the proxy to go out.
This works for protocols for which there is a proxy that implements
authentication.
regads,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
