Articles 
RSS Feed
How to Disable Internet Access on Linux
The scenario: You have just installed your brand new Linux operating system and now your children are telling you that they want to do their homework on your machine. You take a moment to reconsider why you ever wanted your children to learn. They promise you that they just need to use OpenOffice and/or Gimp to finish their paper and would never dream of accessing the web or instant messaging their dweeby little friends. Should you do it? But how can you be sure that they won’t do either of these most heinous activities on your pristine (and still pure) machine while you’re out cleaning the garage?
Well, I use a series of commands that will deny internet access to the kids or, for that matter, to any particular user (like Grandma G. who is addicted to computer Solitaire and refuses to leave her room). It’s a pretty simple procedure to do, but you will have to create and modify files (plus, Granny ain’t gonna like it). This process disables all outgoing traffic for a particular user, so it is a pretty extreme move to make (kinda like breakdancing in speedos). As soon as we wean granny off the Solitaire - we’re currently planning an intervention - I hope to get around to writing another article on how not to be so strict, as fun at that can be.
Alrighty, then! Let’s get started…
First you need to create a new iptables policy that will tell the system what user we want to limit. From the command line type the following, remembering to replace "<user name>" with the real username you are trying to block:
sudo iptables -A OUTPUT -p tcp -m owner –uid-owner <user name> -j DROP
To test that the command worked properly, type this from the command line:
sudo iptables -L
You should see something that looks like this:
Chain INPUT (policy ACCEPT)
target prot opt source destinationChain FORWARD (policy ACCEPT)
target prot opt source destinationChain OUTPUT (policy ACCEPT)
target prot opt source destinationDROP tcp — anywhere anywhere OWNER UID match <user name>
This last line is what you’re looking for. If it shows up, you then need to save this ‘in-memory’ change to a file. This can be done by typing the following from the command line:
sudo iptables-save -c > /etc/iptables-save
You will now have a file saved in the /etc directory called iptables-save. If this command (i.e., iptables-save command) failed for any reason, you may have to become the root user first before trying the above command. This can be accomplished by typing the following from the command line:
su -
Now type in the root password when prompted.
Finally, you have to tell the system to restore the settings on boot-up. There are many ways to skin this cat, but the easiest way for me was to just add a new line in the /etc/rc.local file. Do this by typing the following from the command line:
sudo vi /etc/rc.local
or
sudo gedit /etc/rc.local
If you are not a big fan of either VI or gedit, you may use any other editor you want (freedom is what it’s all about). Just remember you are editing the file /etc/rc.local file.
Once the rc.local file is opened in your editor, you need to add one line to the file (before the exit 0 line):
iptables-restore < /etc/iptables-save
Now the settings will be saved and activated when the system reboots. You also should check to make sure the /etc/rc.local file has permissions set to 755, meaning type this:
sudo chmod 755 /etc/rc.local
Okay, so how do you turn this functionality off? You can just edit the file /etc/rc.local again and put a "#" in front of the line iptables-restore < /etc/iptables-save. Doing this turns the line into a comment line so that it will have no effect once the system reboots. If you don’t want to wait for a system to reboot and just want to kill the filter now, then just type this from the command line:
sudo iptables -F
I hope what I wrote today will give you peace of mind. Now you can clean out that garage without worrying about the kids surfing or IM’ing or Granny gaining access to the evils of Solitaire. Your mind will be free to ponder how you’re going to tell the old gal that she’s an addict who needs love and family to help her get off the junk.
Come to think of it, though, maybe you should just hide your computer…
Nice article - the scariness of iptables turned upside down
I was able to disable internet access for a user, but after I did this the user was not able to do a remote login into the system ?
How is it possible that I can disable internet access to the user, but the user should still be able to do a remote access to the system?
Thank you
Hi Santhosh!
The article listed above is definitely very extreme. It is how you can totally lock down a system (like when your kids are using your computer). However, this also denies access for other services you may need. I will have to investigate a bit to come up with a good solution to your particular problem.
Off the top of my head you could try:
(1) Disable the user’s browser permissions, or
(2) Disallow user access to the Internet via the PC firewall such as Firestarter /etc/host/deny for outbound traffic, or at a gateway firewall if the user account was on it’s own PC.
I will let you know if I arrive at a better solution.