full networking for console user, limited networking for remotely logged in user - Linux

This is a discussion on full networking for console user, limited networking for remotely logged in user - Linux ; Hello I need to setup a lab. such that the users logged on to console have full access of lan and internet but, users remotely logging(via telnet/ssh) into the lab servers would be allowed only to access lan( i.e. others ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: full networking for console user, limited networking for remotely logged in user

  1. full networking for console user, limited networking for remotely logged in user

    Hello

    I need to setup a lab. such that the users logged on to console have
    full access of lan and internet but, users remotely logging(via
    telnet/ssh) into the lab servers would be allowed only to access lan(
    i.e. others servers in lab only) and would not be granted access to
    network outside of lab, i.e. to internet.
    I would use RedHat 9.0.

    So how to go about doing this ???

  2. Re: full networking for console user, limited networking for remotely logged in user

    [followup-to set]
    In article , RJ41 wrote:
    > I need to setup a lab. such that the users logged on to console have
    > full access of lan and internet but, users remotely logging(via
    > telnet/ssh) into the lab servers would be allowed only to access lan(


    See the iptables "owner" match extension ("man iptables"). If you have a
    fixed list of authorised and unauthorised users, this will be easy:
    simply assign the remote users to a single group, and use -m owner to
    block that GID.

    I'm not sure how pid-owner and sid-owner work, but those might make it
    even easier, if they can exclude any process started under sshd or
    telnetd. Perhaps someone else will know?

    If users might alternate between console and remote logins, this would
    be more complicated and possibly weak. You could use the shell to set
    the effective GID when logging in. That of course opens up a lot of
    other shell issues.

    > I would use RedHat 9.0.


    Note that Red Hat by default puts all new user accounts in per-user
    unique groups. You might have to override this default (and change any
    accounts which already exist.)
    --
    /dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
    or put "not-spam" or "/dev/rob0" in Subject header to reply

+ Reply to Thread