iptables isn't meant to be used in this manner, as you've learned. It is cumbersome. OpenSnitch might be more what you seek. I found opensnitch to be too complicated for my needs. https://itsfoss.com/opensnitch-firewall-linux/
An easier way to accomplish what you seek would be to use a USB wifi dongle for internet access and have that USB wifi removed when you don't want someone to have any internet access. Setup the router to block access by other devices, only allow the usb wifi device. So, when approved people want to use the internet, they'd connect the usb-wifi. Unapproved people wouldn't physically have the wifi dongle, so no internet. The built-in wifi or wired ethernet would need to be disabled.
OR
Otherwise. I don't have a good answer that doesn't involve using a proxy server like squid and that proxy would need to be located on a different computer and the entire network would need to be forced to use the proxy. Basically, only the proxy server would have internet access. All other systems would be stuck on the LAN and unable to even ping google.com.
OR
I suppose you could setup the networking to be disabled by default. Reboot wouldn't enable it. Then "approved" users would use sudo to bring up networking (or drop a script that does it into their auto-run programs at login time. Similarly, have a little sudo script to disable networking at logout. There's a ~/.bash_logout script that can be used for this. I'd create a old-style start/stop/status script like we used for 40 yrs with init system.
Suppose you create a script in /usr/local/bin/network-on-off with these contents:
Code:
#!/bin/sh
case "$1" in
start)
echo "starting "
/usr/bin/sudo /usr/bin/nmcli networking on
;;
stop)
echo "stopping "
/usr/bin/sudo /usr/bin/nmcli networking off
;;
status)
echo "status"
/usr/bin/nmcli connectivity check
;;
*)
esac
exit 0
The network start/stop/status commands are different depending on which init system and network management tool is used on your box. For most desktops, I'd look at nmcli commands as shown above.
Then setup the sudoers file to allow only those exact commands to the people you want to allow network access. Left as an exercise, but the manpage for the suders file has examples.
Your autostart would have /usr/local/bin/network-on-off start
Your ~/.bash_logout would have /usr/local/bin/network-on-off stop
YMMV. I haven't tested any of this. While I think it will work, it may not.