Next

IPTables::IPv4::IPQueue

#16

Filter based on username (continued)

Block outbound connections by unauthorized users

    my ($user, $pid) = getuserfromtcp $ip, $tcp;

    if ($user eq "luser" &&
        ($tcp->{flags} & SYN) &&        # SYN
        !($tcp->{flags} & ACK) &&       # !ACK
        $msg->outdev_name)              # outbound
    {
        syslog "warning", "Blocking outbound connection attempt by $user";
        $ipq->set_verdict($msg->packet_id, NF_DROP);
    }

Oops, also possible with iptables

    iptables -A OUTPUT -m owner \
        --uid-owner luser -p tcp --syn -j DROP

...but we have more flexibility in perl:

The list of permitted users could be dynamic, stored in a database
We could go look in the user's home directory for a valid token
Possible to create a group for users with network access

Next	© 2003 Michael C. Toren