m.roth at 5-cent.us
2017-Sep-19 15:39 UTC
[CentOS] Block internet access for some users on the LAN ?
Chase, Brian E. wrote:> The way to do this is with ACL's. Access Control Lists > IPtables can perform this function, or an internet gateway router can also > be used. > The ISR 4000 Series Cisco router family is where I would start, especially > if you're in the need for a blade server in the same chassis. > > -----Original Message----- > From: CentOS [mailto:centos-bounces at centos.org] On Behalf Of Nicolas > Kovacs > Sent: Monday, September 18, 2017 1:04 PM > To: Centos Mailing List > Subject: [CentOS] Block internet access for some users on the LAN ? > > Hi, > > In our local school we have two servers and roughly 80 clients. The > network is 192.168.10.0/255.255.255.0, and DHCP+DNS is managed by > Dnsmasq. > > School PCs (teachers and management) are registered via MAC address and > get an IP address in a specific range:<snip>> If a client (like a student's laptop, tablet or smartphone) is not > registered, it gets an IP address in the range between 192.168.10.100 and > 192.168.10.200. > > Up until recently I've been using a combination of Squid and Squidguard to > filter Internet access. > > This year the school's director wants to completely block Internet access > for all the student's personal devices.<snip> If nixspam doesn't gag me again - tried to respond yesterday. Put anyone whose MAC address isn't registered on a different subnet, like 192.168.11.x, and give your router no route to 9.0.9.9, only to the internal. As a response to someone else's cmts, the set of kids who knows how they're being blocked is a small subset of all kids, and those who know that a MAC address can be forged is a small subset of the previous. And *then* they'd have to find out a valid MAC address. On top of that, it would seem to me that the ones for whom you have a registered MAC address is either hardwired, and so on, permanently, or the teachers and staff are in before the students, mostly, and so when a student tries to spoof the MAC, they get refused, since the real system already has the IP address. mark
John R Pierce
2017-Sep-19 15:57 UTC
[CentOS] Block internet access for some users on the LAN ?
On 9/19/2017 8:39 AM, m.roth at 5-cent.us wrote:> As a response to someone else's cmts, the set of kids who knows how > they're being blocked is a small subset of all kids, and those who know > that a MAC address can be forged is a small subset of the previous. And > *then* they'd have to find out a valid MAC address.all it takes is one kid, who then shares his 'trick' with other kids, and blam.> > On top of that, it would seem to me that the ones for whom you have a > registered MAC address is either hardwired, and so on, permanently, or the > teachers and staff are in before the students, mostly, and so when a > student tries to spoof the MAC, they get refused, since the real system > already has the IP address.that presumes all the reserved systems are on 24/7. -- john r pierce, recycling bits in santa cruz
Kenneth Porter
2017-Sep-19 20:05 UTC
[CentOS] Block internet access for some users on the LAN ?
--On Tuesday, September 19, 2017 9:57 AM -0700 John R Pierce <pierce at hogranch.com> wrote:> all it takes is one kid, who then shares his 'trick' with other kids, and > blam.Hire that kid to be head of security. :D