2

Due to a child protection and safeguarding issue, I want to set up a restricted or limited account for a tech-savvy teenager to use. I would like to whitelist only specific websites (e.g. iPlayer and Netflix since there's no TV in the house) for that user. I'm not concerned about software updates--those will be run through my account, natch.

I understand that the usual answer is to use a proxy such as Squid or Privoxy. However, I'm concerned that it is possible to get around such systems by overriding local proxy settings on the client unless there is a device running them as a transparent proxy, filtering all local network traffic. I'm also concerned about the technical burden of administering and maintaining one. (That's speaking as a systems administrator.)

I would ideally like to be able to use my admin account, which obviously has sudo, to set local firewall rules on a per-user basis. I would have thought it fairly trivial in theory for to the kernel's network stack to block connections based on which local user process they originate from just as it is capable of blocking outgoing connections from certain hosts or ports, and would be easier to administer and maintain than a proxy, even if the kernel itself does not in fact offer said functionality and that that would seem to be a much more elegant and efficient mechanism than the sledgehammer of a border device blocking by host or running a proxy.

Does anyone have any thoughts on the matter?

Edit: people who are downvoting, could you explain why in the comments?

DMCoding
  • 233

1 Answers1

3

Well, to be honest, there is a reason why everyone gives the usual answer to use a proxy. It is far more simple to administer than a set of IP filters on a host. It also works cross-device, so if this teenager uses his phone on the wifi-network, he will get the same protection.

If you want to make sure that everyone uses the proxy, create a DMZ where the proxy is located and do not allow direct access to the Internet. This can easily be done with two simple NAT routers. There is always a downside: the more tech-savy the teenager is, the easier it will be to bypass your security measures. And you will probably not want to administer an enterprise solution.

CORRECTION

With iptables, it is possible; 

iptables -A OUTPUT -o ethX -m owner --uid-owner {USERNAME} -j ACCEPT

where –uid-owner { USERNAME } matches if the packet was created by a process with the given effective USERNAME.

But it will be terrible to administer and therefore A Bad Idea.

Ljm Dullaart
  • 2,788