Update README.md

README.md

@@ -17,8 +17,52 @@ First we will create the controlled access group through which programs will be
 ```
 groupadd no-internet
 ```
+And add your user to it
+```
+usermod -a -G no-internet youruser
+```
+You should now see no-internet as a group your user is a member of
+```
+groups youruser
+````
+Your user will need to be a member of the group as sg demands it
 
 ### Creating the Systemd Service
+Next we will create a systemd service which uses iptables to drop outbound connections made by the "no-internet" group
+```
+touch /etc/systemd/system/no-internet.service
+nano /etc/systemd/system/no-internet.service
+```
+Enter the following within the service file then write and quit
+```
+[Unit]
+Description=blocks network access for the group "no-internet"
+
+[Service]
+ExecStart=iptables -I OUTPUT -m owner --gid-owner "no-internet" -j DROP
+
+[Install]
+WantedBy=multi-user.target
+```
+
+Breakdown of iptables command:
+*iptables is an administration tool for IPv4/IPv6 packet filtering
+
+*the -I OUTPUT flag specifies the rule is responsible for packets leaving the host
+
+*the -m owner flag allows packet filtering based upon the owner of the process
+
+*the --gid-owner "no-internet" flag specifies for the rule to match processes created by the group 'no-internet'
+
+*the -j DROP flag specifies the action to take, in this case dropping the packetnn
+
+Next we will reload our services, then enable no-internet so it persistently starts at boot
+```
+systemctl daemon-reload
+systemctl enable no-internet.service
+systemctl start no-internet.service
+```
+
 Note: a similar effect could be achived via crontab by making an entry along the lines of
 ```
 @reboot  root  iptables -I OUTPUT 1 -m owner --gid-owner "no-internet" -j DROP