As the actual client application are going to be running on the same server, I think you will be hard pressed to get packet marking to work at that level. I have done packet marking, classify and policing, but only using hardware routers and marking either by host addresses or TCP/UDP port. (The marking was using the DiffServ/TOS field of the IP packet). I suspect this won't be flexible enough for you (as ports and IP addresses are going to be the same for both user groups)
You will probably will find you are better of enforcing the policy at an OS level by creating locked down application (with specific configs) that only accessible or executable by certain administrative groups (ie create a powerusers group in /etc/groups and make say mozilla only e(x)ecutable by members of that group. Add that group to each user you want to be able use that app). (You also have to also prevent non-priveleged users from installing and running their own work-alike programs, but I guess in a normal managed environment this shouldn't be an issue) (There are other techniques like forcing user traffic to go through some sort of VPN or tunnel with different characteristics, but again the issue is to tie these to a particular user of a central server) Martin Visser ,CISSP Network and Security Consultant Technology & Infrastructure - Consulting & Integration HP Services 3 Richardson Place North Ryde, Sydney NSW 2113, Australia Phone *: +61-2-9022-1670 Mobile *: +61-411-254-513 Fax 7: +61-2-9022-1800 E-mail * : martin.visserAThp.com -----Original Message----- From: Howard Lowndes [mailto:[EMAIL PROTECTED] Sent: Tuesday, 29 July 2003 9:36 AM To: Mail List - SLUG; Mail List - MURLUG Subject: [SLUG] Marking packets at the user level I have a situation where I have a workgroup server which has several user accounts on it; the users connect to the server from their desktops which act as basic X terminals. I want to be able to block some users from web browsing and accessing external mail servers, etc. whilst allowing others either or both of those facilities, all blocking being done at the site Internet interface point. I think what I am wanting to do is to mark selected packets with a user/group specific mark at the session level so that they can be identified by the iptables filters, but, of course, the packets actually get created further down the stack. Am I on a lost cause, or do I need to think laterally here. -- Howard. LANNet Computing Associates - Your Linux people <http://www.lannetlinux.com> ------------------------------------------ Flatter government, not fatter government - Get rid of the Australian states. ------------------------------------------ I before E except after C. We live in a weird society! -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
