I'm setting up the guest user account for the PCs of a computer lab, which run Ubuntu 24.04. I'd like the guest account to be able to connect only to our Wi-Fi network, forbidding access to other nearby networks, phone hotspots, etc. How can I do it?
0
Add a comment |
1 Answer
You can do this, first for the quest user name figure out their UID by using id command, assuming their username is "guest" you'd run:
id -u guest Which for instance outputs 1100
Next figure out WIFI interface which for instance is called wlan0
run ip command to show interfaces and figure out wifi card name.
Then in nftables script define variables holding those values:
#!/usr/sbin/nft -f define guest_user = 1100 define wlan_nic = "wlan0" Next create a rule that matches this user and restrict it to wifi interface.
assuming filter is ip table and output is ip chain declared somewhere
#!/usr/sbin/nft -f add rule filter output meta skuid $guest_user meta oifname $wlan_nic accept Keep in mind that using meta skuid is valid only for output rules, input traffic comes from another host and doesn't carry this information.
If you need specific filtering based on that schema you can use jump verdict to jump to guest specific chain, for ex:
#!/usr/sbin/nft -f add chain filter guest_out_chain { comment "chain for guest" } add rule filter output meta skuid $guest_user meta oifname $wlan_nic jump guest_out_chain And then do guest specific filtering in that guest_out_chain chain without having to specify meta skuid $guest_user meta oifname $wlan_nic each time.
You can also create rules in same fashion that applies to some guests group if there are several guests, but then instead of meta skuid you use meta skgid GID where GID is group ID
