Guest session network lockdown

Matt Zimmerman mdz at
Thu Jul 31 19:40:09 BST 2008

On Thu, Jul 31, 2008 at 02:34:10PM +0200, Martin Pitt wrote:
> The spec also mentions restricting network access to the guest user.
> Standard TCP/UDP to the internet should of course be allowed in order
> to be useful, but it would be nice to e. g disallow the usage of VPNs.
> This can be implemented with some iptables rules and the 'owner'
> module.

Would it make sense to integrate with ufw for this?

> However, we didn't talk yet about which particular kind of network
> access should be allowed/denied. Some examples that come into my mind,
> together with my gut feeling of whether to allow or deny them:
>  - default route (should certainly be allowed, even if that is through
>    a VPN)

I think this should be allowed, but limited.  Things like HTTP(S), FTP, DNS,
POP, IMAP, etc. should be allowed, but perhaps not arbitrary ports.

>  - existing VPNs to non-default routes (deny) -> how to detect this?
>    OpenVPN uses tun devices, but other solutions work differently; e.
>    g.  standard ipsec-tools uses regular ethernet interfaces and just
>    magically declares the connections as encrypted/signed in kernel
>    space; and then there's the Cisco "vpnc" package and a ton of
>    others...

Perhaps outbound to RFC1918 space should be denied; in practice this will
cover most VPNs as well.  tun devices are also a good exclusion.

>  - other computers in the LAN (deny)

I'm not sure I agree entirely; consider the case of printing to a network
printer or accessing a local DNS server.  Blocking RFC1918 would of course
usually prohibit this as well.

 - mdz

More information about the ubuntu-devel mailing list