我正在开发旨在实时运行的 Ubuntu/Mint 发行版。有多个帐户分为三个常规组:管理员、互联网和安全。
其他帐户是安全帐户。在任何情况下都不允许使用任何网络 Internet、打印机、蓝牙、WiFi 设备等。
我想做的是从内核中删除网络驱动程序,但这会禁用需要 Internet 的帐户。
为这些安全帐户禁用 Internet 的最低级别方法是什么?我正在寻找无法连接的解决方案。
Bru*_*ira 15
你可以用iptables.
在终端上将规则添加到 iptables
sudo iptables -A OUTPUT -p all -m owner --uid-owner username -j DROP
where username is the user that you want to disable the Internet connection. Save the file and exit.
This will add a rule to iptables saying that any outgoing packages created by the specified user will be automatically dropped by iptables.
If you want to do the same for a complete group I sugest that instead of --uid username you use --gid-owner groupname, that will have the same effect for a complete user group.
So to prevent the group Security from accessing the Internet the command would look something like this
sudo iptables -A OUTPUT -p all -m owner --gid-owner security -j DROP
To make the rule permanent you can create a script in /etc/network/if-up.d/, add the necessary lines to it and make it executable.
As an option use iptables-save to save your current rules and restore them on boot.
保存当前iptables规则
sudo iptables-save > /etc/iptables_rules
/etc/rc.local使用您喜欢的文本编辑器打开并在文件末尾添加
/sbin/iptables-restore < /etc/iptables_rules
这将在每次启动时恢复保存的规则。
有关更多信息,请访问 [iptables联机帮助页] 页面以获取有关多个iptables选项的更多信息。
| 归档时间: |
|
| 查看次数: |
13731 次 |
| 最近记录: |