How to restrict internet access for a particular user on the lan using iptables in Linux
I assume that users A and B are using the same Linux machine(s) where you are the administrator. (It's not completely clear from your question. If A and B are have their own computers which they are administrators on, it's a completely different problem.)
The following command will prevent the user with uid 1234 from sending packets on the interface eth0
:
iptables -t mangle -A OUTPUT -o eth0 -m owner --uid-owner 1234 -j DROP
ip6tables -t mangle -A OUTPUT -o eth0 -m owner --uid-owner 1234 -j DROP
I recommend reading the Ubuntu iptables guide to get basic familiarity with the tool (and refer to the man page for advanced things like the mangle table).
The user will still be able to run ping (because it's setuid root), but not anything else. The user will still be able to connect to a local proxy if that proxy was started by another user.
To remove this rule, add -D
to the command above.
To make the rule permanent, add it to /etc/network/if-up.d/my-user-restrictions
(make that an executable script beginning with #!/bin/sh
). Or use iptables-save
(see the Ubuntu iptables guide for more information).