Disable networking for specific users

I'm working on Ubuntu/Mint distro meant to be ran Live. There are multiple accounts that fall into three general groups: Admin, Internet and Security.

  • Admin is obviously has the authority to do whatever.
  • Internet account is for using the Internet.

The other accounts are Security accounts. Under no circumstances is any networking Internet, printer, Bluetooth, WiFi devices, etc, allowed.

What I'd like to do is remove the network drivers from the kernel, but that would disable the accounts that need Internet.

What are the lowest level way(s) to disable Internet for these security accounts? I'm looking for impossible to connect solutions.


You can do that with iptables (ip6tables).

Until reboot

On a terminal add the rule to iptables

sudo iptables -A OUTPUT -p all -m owner --uid-owner username -j DROP
sudo ip6tables -A OUTPUT -p all -m owner --uid-owner username -j DROP

where username is the user that you want to disable the Internet connection. Save the file and exit.

This will add a rule to iptables (ip6tables) saying that any outgoing packages created by the specified user will be automatically dropped by it.

If you want to do the same for a complete group I suggest that instead of --uid username you use --gid-owner groupname, that will have the same effect for a complete user group.

So, for example, to prevent the group security from accessing the Internet the command would look something like this

sudo iptables -A OUTPUT -p all -m owner --gid-owner security -j DROP
sudo ip6tables -A OUTPUT -p all -m owner --gid-owner security -j DROP

Permanent

To make the rule permanent you can create a script in /etc/network/if-up.d/, add the necessary lines to it and make it executable.

As an option use iptables-save (ip6tables-save) to save your current rules and restore them on boot.

Save the current iptables rules

sudo iptables-save > /etc/iptables_rules
sudo ip6tables-save > /etc/ip6tables_rules

Open /etc/rc.local with your favorite text editor and at the end of the file add

/sbin/iptables-restore < /etc/iptables_rules
/sbin/ip6tables-restore < /etc/ip6tables_rules

That will restore the saved rules on each boot. Be careful in noticing that users for which you blocked only ipv4 connections will still be able to connect to the internet.

For more informations and several more iptables options consult its manpage.


Bruno's solution is good: I think probably the best self-contained solution.

Another option you can think about is to set up a firewall/proxy on a separate machine, as the gateway to the internet, which only allows connections out that provide per-user authentication. You could use use both together for extra protection.