Fine tuning Edubuntu

Gavin McCullagh gmccullagh at gmail.com
Tue Aug 1 18:43:09 BST 2006 

On Tue, 01 Aug 2006, Brad Thomas wrote:

> I have a default install of Edubuntu, and my clients are connecting 
> without any problems.  However, there's two things that I need to get 
> done before I can put this in a live environment:

> 1. I have 2 nics in the server.  One connects to the main network 
> (eth1), and the other is for the Edubuntu lab that the clients connect 
> through (eth0).  However, I need to figure out a way to prevent my 
> client computers from being able to hit eth1, because I do not want them 
> to be able to access my network.  How can I do this?

So I think you want the thin client computers to be unable to see the main
network?  Given that as thin clients they are actually running programs on
your server this is not trivial.  

a. You can use iptables (or something higher level like shorewall) to
   restrict what connections are allowed to the main network zone (beyond
   eth1) from the local machine and from the thin client network zone
   (behind eth0).  This will also restrict _you_ if you are a user on the
   server so you might need something more sophisticated.

b. It is possible with iptables to apply restrictions on locally generated
   packets based on the "packet creator".  So, you can say 
	"--uid-owner userid"
   in order to say that only certain users can connect to the main network
   in certain ways.  I've never done this myself and it is not trivial if
   you haven't used iptables before.

> 2. I am trying to figure out a way to remove applications from the menu 
> that the clients will not (and should not) have access to.  I guess I'm 
> looking for a KIOSK that will work with Gnome.  Any suggestions?

You could always just use apt to remove the applications from the LTSP
chroot environment?  That way they are there on the server but not for thin
clients.  

RedHat documents lockdown of GNOME here but not really available programs:

http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/desktop-guide/s1-ddg-lockdown-other-kiosk-configs.html

Sun also has docs here:

http://docs.sun.com/app/docs/doc/817-5310/6mkpbn3up?a=view

Note that if you remove the programs from the menu there is often nothing
stopping the user running them from the command line.  They need to either
be removed completely or be restricted permissions to be secured from users
(the latter is not trivial to maintain).

Gavin

More information about the edubuntu-users mailing list