Nicolas Kovacs
2017-Sep-18 17:03 UTC
[CentOS] Block internet access for some users on the LAN ?
Hi, In our local school we have two servers and roughly 80 clients. The network is 192.168.10.0/255.255.255.0, and DHCP+DNS is managed by Dnsmasq. School PCs (teachers and management) are registered via MAC address and get an IP address in a specific range: 192.168.10.2 - 192.168.10.50 - management + teachers 192.168.10.201 - 192.168.10.220 - computer room 192.168.10.246 - 192.168.10.247 - printers 192.168.10.251 - 192.168.10.253 - wireless access points If a client (like a student's laptop, tablet or smartphone) is not registered, it gets an IP address in the range between 192.168.10.100 and 192.168.10.200. Up until recently I've been using a combination of Squid and Squidguard to filter Internet access. This year the school's director wants to completely block Internet access for all the student's personal devices. The Linux server acts as a transparent gateway. Unfortunately with Squid I can only filter/block HTTP connections, but not HTTPS (well, I could, but this is way too complicated to setup). The firewall is managed by a simple Iptables script. Now I *think* the easiest way to block a certain IP range from Internet access would be through Iptables (correct me if I'm wrong). If this is the case, what would that look like? Any suggestions? Niki Kovacs -- Microlinux - Solutions informatiques durables 7, place de l'?glise - 30730 Montpezat Web : http://www.microlinux.fr Mail : info at microlinux.fr T?l. : 04 66 63 10 32
John R Pierce
2017-Sep-18 17:23 UTC
[CentOS] Block internet access for some users on the LAN ?
On 9/18/2017 10:03 AM, Nicolas Kovacs wrote:> This year the school's director wants to completely block Internet > access for all the student's personal devices.MAC addresses can easily be forged, IP addresses can easily be changed, none of that is secure if its on the same network segment The student's personal devices should be on a completely different 'guest' subnet, enforced by the wireless infrastructure, via use of a captive portal and/or WPA2-EAP authentication.?? ? Presumably most of the schools infrastructure is on ethernet?? those ethernet connections should be kept physically secure so noone unauthorized can plug/unplug anything into the ethernet. THEN you'd use iptables to enforce access restrictions on this guest subnet. -- john r pierce, recycling bits in santa cruz
Leroy Tennison
2017-Sep-18 17:24 UTC
[CentOS] Block internet access for some users on the LAN ?
Iptables is a very reasonable way to do it, basically you decide what devices should have Internet access, create accept rules for them and then have a default deny for everything else. ----- Original Message ----- From: "Nicolas Kovacs" <info at microlinux.fr> To: "centos" <centos at centos.org> Sent: Monday, September 18, 2017 12:03:56 PM Subject: [CentOS] Block internet access for some users on the LAN ? Hi, In our local school we have two servers and roughly 80 clients. The network is 192.168.10.0/255.255.255.0, and DHCP+DNS is managed by Dnsmasq. School PCs (teachers and management) are registered via MAC address and get an IP address in a specific range: 192.168.10.2 - 192.168.10.50 - management + teachers 192.168.10.201 - 192.168.10.220 - computer room 192.168.10.246 - 192.168.10.247 - printers 192.168.10.251 - 192.168.10.253 - wireless access points If a client (like a student's laptop, tablet or smartphone) is not registered, it gets an IP address in the range between 192.168.10.100 and 192.168.10.200. Up until recently I've been using a combination of Squid and Squidguard to filter Internet access. This year the school's director wants to completely block Internet access for all the student's personal devices. The Linux server acts as a transparent gateway. Unfortunately with Squid I can only filter/block HTTP connections, but not HTTPS (well, I could, but this is way too complicated to setup). The firewall is managed by a simple Iptables script. Now I *think* the easiest way to block a certain IP range from Internet access would be through Iptables (correct me if I'm wrong). If this is the case, what would that look like? Any suggestions? Niki Kovacs -- Microlinux - Solutions informatiques durables 7, place de l'?glise - 30730 Montpezat Web : http://www.microlinux.fr Mail : info at microlinux.fr T?l. : 04 66 63 10 32 _______________________________________________ CentOS mailing list CentOS at centos.org https://lists.centos.org/mailman/listinfo/centos
Johnny Hughes
2017-Sep-18 17:42 UTC
[CentOS] Block internet access for some users on the LAN ?
On 09/18/2017 12:23 PM, John R Pierce wrote:> On 9/18/2017 10:03 AM, Nicolas Kovacs wrote: >> This year the school's director wants to completely block Internet >> access for all the student's personal devices. > > MAC addresses can easily be forged, IP addresses can easily be changed, > none of that is secure if its on the same network segment > > The student's personal devices should be on a completely different > 'guest' subnet, enforced by the wireless infrastructure, via use of a > captive portal and/or WPA2-EAP authentication.?? ? Presumably most of > the schools infrastructure is on ethernet?? those ethernet connections > should be kept physically secure so noone unauthorized can plug/unplug > anything into the ethernet. > > THEN you'd use iptables to enforce access restrictions on this guest > subnet. > >It would be extremely easy to, for example, try to get to the internet and fail .. look at my IP address and get my default gateway from my device (that I own) .. then try manually other network addresses until I find one that works (with the same gateway). That is, I can easily find the others segments (like the printers) and take a free address in that segment. Since the whole network is flat, It will let me out then. As John says .. if you want to isolate guest accounts, do it with a completely different network segment that is isolated from things you don't want them to access. You can then setup rules unique to that network segment that they can't forge (the gateway is the only way that segment can get out and all the rules are the same for any IP that will route from that segment). -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20170918/e287defd/attachment-0001.sig>
Chase, Brian E.
2017-Sep-19 13:33 UTC
[CentOS] Block internet access for some users on the LAN ?
The way to do this is with ACL's. Access Control Lists IPtables can perform this function, or an internet gateway router can also be used. The ISR 4000 Series Cisco router family is where I would start, especially if you're in the need for a blade server in the same chassis. -----Original Message----- From: CentOS [mailto:centos-bounces at centos.org] On Behalf Of Nicolas Kovacs Sent: Monday, September 18, 2017 1:04 PM To: Centos Mailing List Subject: [CentOS] Block internet access for some users on the LAN ? Hi, In our local school we have two servers and roughly 80 clients. The network is 192.168.10.0/255.255.255.0, and DHCP+DNS is managed by Dnsmasq. School PCs (teachers and management) are registered via MAC address and get an IP address in a specific range: 192.168.10.2 - 192.168.10.50 - management + teachers 192.168.10.201 - 192.168.10.220 - computer room 192.168.10.246 - 192.168.10.247 - printers 192.168.10.251 - 192.168.10.253 - wireless access points If a client (like a student's laptop, tablet or smartphone) is not registered, it gets an IP address in the range between 192.168.10.100 and 192.168.10.200. Up until recently I've been using a combination of Squid and Squidguard to filter Internet access. This year the school's director wants to completely block Internet access for all the student's personal devices. The Linux server acts as a transparent gateway. Unfortunately with Squid I can only filter/block HTTP connections, but not HTTPS (well, I could, but this is way too complicated to setup). The firewall is managed by a simple Iptables script. Now I *think* the easiest way to block a certain IP range from Internet access would be through Iptables (correct me if I'm wrong). If this is the case, what would that look like? Any suggestions? Niki Kovacs -- Microlinux - Solutions informatiques durables 7, place de l'?glise - 30730 Montpezat Web : http://www.microlinux.fr Mail : info at microlinux.fr T?l. : 04 66 63 10 32 _______________________________________________ CentOS mailing list CentOS at centos.org https://lists.centos.org/mailman/listinfo/centos
> School PCs (teachers and management) are registered via MAC address and get > an IP address in a specific range:> 192.168.10.2 - 192.168.10.50 - management + teachers > > 192.168.10.201 - 192.168.10.220 - computer room > > 192.168.10.246 - 192.168.10.247 - printers > > 192.168.10.251 - 192.168.10.253 - wireless access points > > If a client (like a student's laptop, tablet or smartphone) is not > registered, it gets an IP address in the range between 192.168.10.100 and > 192.168.10.200.> Up until recently I've been using a combination of Squid and Squidguard to > filter Internet access.> This year the school's director wants to completely block Internet access > for all the student's personal devices.> The Linux server acts as a transparent gateway. Unfortunately with Squid I > can only filter/block HTTP connections, but not HTTPS (well, I could, but > this is way too complicated to setup).> The firewall is managed by a simple Iptables script. Now I *think* the > easiest way to block a certain IP range from Internet access would be > through Iptables (correct me if I'm wrong). If this is the case, what would > that look like?It seems to me you could accomplish some of this by using 802.1x switch port security. Set up an OpenRADIUS server, configure the network switch ports, then put a key on each workstation - especially those whose physical Ethernet jack could be unplugged by a student. If someone does try to plug their device into the network, it not only won't get an address - it won't even get an open port! Someone commented that using static IP addresses can be worked around pretty easily. I agree ... It is just a form of security by obscurity, and we all know that really means no security at all. There would be some effort to get the key onto the authorized workstations, but once there it would not need anything further. It could also be incorporated into the base coreloads. There is also some effort to reprogram the switch ports - also a one-time task. The WiFi segment should be protected by a WPA2 password. Bill Gee
m.roth at 5-cent.us
2017-Sep-19 15:39 UTC
[CentOS] Block internet access for some users on the LAN ?
Chase, Brian E. wrote:> The way to do this is with ACL's. Access Control Lists > IPtables can perform this function, or an internet gateway router can also > be used. > The ISR 4000 Series Cisco router family is where I would start, especially > if you're in the need for a blade server in the same chassis. > > -----Original Message----- > From: CentOS [mailto:centos-bounces at centos.org] On Behalf Of Nicolas > Kovacs > Sent: Monday, September 18, 2017 1:04 PM > To: Centos Mailing List > Subject: [CentOS] Block internet access for some users on the LAN ? > > Hi, > > In our local school we have two servers and roughly 80 clients. The > network is 192.168.10.0/255.255.255.0, and DHCP+DNS is managed by > Dnsmasq. > > School PCs (teachers and management) are registered via MAC address and > get an IP address in a specific range:<snip>> If a client (like a student's laptop, tablet or smartphone) is not > registered, it gets an IP address in the range between 192.168.10.100 and > 192.168.10.200. > > Up until recently I've been using a combination of Squid and Squidguard to > filter Internet access. > > This year the school's director wants to completely block Internet access > for all the student's personal devices.<snip> If nixspam doesn't gag me again - tried to respond yesterday. Put anyone whose MAC address isn't registered on a different subnet, like 192.168.11.x, and give your router no route to 9.0.9.9, only to the internal. As a response to someone else's cmts, the set of kids who knows how they're being blocked is a small subset of all kids, and those who know that a MAC address can be forged is a small subset of the previous. And *then* they'd have to find out a valid MAC address. On top of that, it would seem to me that the ones for whom you have a registered MAC address is either hardwired, and so on, permanently, or the teachers and staff are in before the students, mostly, and so when a student tries to spoof the MAC, they get refused, since the real system already has the IP address. mark