CentOS - Sep 2017 - Block internet access for some users on the LAN ?

Chase, Brian E. wrote:
> The way to do this is with ACL's.  Access Control Lists
> IPtables can perform this function, or an internet gateway router can also
> be used.
> The ISR 4000 Series Cisco router family is where I would start, especially
> if you're in the need for a blade server in the same chassis.
>
> -----Original Message-----
> From: CentOS [mailto:centos-bounces at centos.org] On Behalf Of Nicolas
> Kovacs
> Sent: Monday, September 18, 2017 1:04 PM
> To: Centos Mailing List
> Subject: [CentOS] Block internet access for some users on the LAN ?
>
> Hi,
>
> In our local school we have two servers and roughly 80 clients. The
> network is 192.168.10.0/255.255.255.0, and DHCP+DNS is managed by
> Dnsmasq.
>
> School PCs (teachers and management) are registered via MAC address and
> get an IP address in a specific range:
<snip>
> If a client (like a student's laptop, tablet or smartphone) is not
> registered, it gets an IP address in the range between 192.168.10.100 and
> 192.168.10.200.
>
> Up until recently I've been using a combination of Squid and Squidguard
to
> filter Internet access.
>
> This year the school's director wants to completely block Internet
access
> for all the student's personal devices.
<snip>
If nixspam doesn't gag me again - tried to respond yesterday.

Put anyone whose MAC address isn't registered on a different subnet, like
192.168.11.x, and give your router no route to 9.0.9.9, only to the
internal.

As a response to someone else's cmts, the set of kids who knows how
they're being blocked is a small subset of all kids, and those who know
that a MAC address can be forged is a small subset of the previous. And
*then* they'd have to find out a valid MAC address.

On top of that, it would seem to me that the ones for whom you have a
registered MAC address is either hardwired, and so on, permanently, or the
teachers and staff are in before the students, mostly, and so when a
student tries to spoof the MAC, they get refused, since the real system
already has the IP address.

       mark

On 9/19/2017 8:39 AM, m.roth at 5-cent.us wrote:
> As a response to someone else's cmts, the set of kids who knows how
> they're being blocked is a small subset of all kids, and those who know
> that a MAC address can be forged is a small subset of the previous. And
> *then*  they'd have to find out a valid MAC address.
all it takes is one kid, who then shares his 'trick' with other kids, 
and blam.
>
> On top of that, it would seem to me that the ones for whom you have a
> registered MAC address is either hardwired, and so on, permanently, or the
> teachers and staff are in before the students, mostly, and so when a
> student tries to spoof the MAC, they get refused, since the real system
> already has the IP address.
that presumes all the reserved systems are on 24/7.


-- 
john r pierce, recycling bits in santa cruz

--On Tuesday, September 19, 2017 9:57 AM -0700 John R Pierce 
<pierce at hogranch.com> wrote:
> all it takes is one kid, who then shares his 'trick' with other
kids, and
> blam.
Hire that kid to be head of security. :D