Mageia forum

[magfan]

My system has several ethernet ports (eth0 .. eth5) and I want to exclude several users from access to one specific port (eth1). How can I do this?

[doktor5000]

How do you want to exclude users? From logging in via a specific interface, or from using it from the inside?

[magfan]

How do you want to exclude users? From logging in via a specific interface, or from using it from the inside?

From inside.

[ah7013]

Is shorewall enabled on eth1? If so, you could just modify /etc/shorewall/rules and append some rules to block the specific users. For example adding:

Code: Select all

REJECT $FW net:eth1 - - - - - user1
REJECT $FW net:eth1 - - - - - user2
REJECT $FW net:eth1 - - - - - user3
REJECT $FW net:eth1 - - - - - user4


to that file would reject any outgoing packets from user1, user2, user3 and user4 on eth1. Once you have modified the file just restart shorewall (systemctl restart shorewall.service)

[magfan]

Is shorewall enabled on eth1? If so, you could just modify /etc/shorewall/rules and append some rules to block the specific users. For example adding:

Code: Select all

REJECT $FW net:eth1 - - - - - user1
REJECT $FW net:eth1 - - - - - user2
REJECT $FW net:eth1 - - - - - user3
REJECT $FW net:eth1 - - - - - user4


to that file would reject any outgoing packets from user1, user2, user3 and user4 on eth1. Once you have modified the file just restart shorewall (systemctl restart shorewall.service)

I tried it but after editing the rules I discovered problems for other users on other eth* ports. Maybe because this line was the only one in /etc/shorewall/rules and shorewall has some default settings for other (not explicitly listed) eth* ports. Do I have to configure shorewall for all eth* ports separately?

[ah7013]

No you shouldn't need to configure all eth* ports seperatly. I did try it on one of my computers with only configuring that one eth* port and it worked fine :-/. Although you could try configuring them seperately by adding something like this to the same rules file:

Code: Select all

ACCEPT $FW net:eth0
ACCEPT $FW net:eth2
ACCEPT $FW net:eth3
ACCEPT $FW net:eth4
ACCEPT $FW net:eth5


which should allow all outgoing packets from those interfaces from any user but I am not sure if it would work.