full networking for console user, limited networking for remotely logged in user

Hello

I need to setup a lab. such that the users logged on to console have
full access of lan and internet but, users remotely logging(via
telnet/ssh) into the lab servers would be allowed only to access lan(
i.e. others servers in lab only) and would not be granted access to
network outside of lab, i.e. to internet.
I would use RedHat 9.0.

So how to go about doing this ???

[followup-to set]
In article <ec37897e.0308140027.f27cdce@posting.google.com> , RJ41 wrote:
> I need to setup a lab. such that the users logged on to console have
> full access of lan and internet but, users remotely logging(via
> telnet/ssh) into the lab servers would be allowed only to access lan(

See the iptables "owner" match extension ("man iptables"). If you have a
fixed list of authorised and unauthorised users, this will be easy:
simply assign the remote users to a single group, and use -m owner to
block that GID.

I'm not sure how pid-owner and sid-owner work, but those might make it
even easier, if they can exclude any process started under sshd or
telnetd. Perhaps someone else will know?

If users might alternate between console and remote logins, this would
be more complicated and possibly weak. You could use the shell to set
the effective GID when logging in. That of course opens up a lot of
other shell issues.

> I would use RedHat 9.0.

Note that Red Hat by default puts all new user accounts in per-user
unique groups. You might have to override this default (and change any
accounts which already exist.)
--
/dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
or put "not-spam" or "/dev/rob0" in Subject header to reply