Re: Block internet access for some users on the LAN ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Chase, Brian E. wrote:
> The way to do this is with ACL's.  Access Control Lists
> IPtables can perform this function, or an internet gateway router can also
> be used.
> The ISR 4000 Series Cisco router family is where I would start, especially
> if you're in the need for a blade server in the same chassis.
>
> -----Original Message-----
> From: CentOS [mailto:centos-bounces@xxxxxxxxxx] On Behalf Of Nicolas
> Kovacs
> Sent: Monday, September 18, 2017 1:04 PM
> To: Centos Mailing List
> Subject:  Block internet access for some users on the LAN ?
>
> Hi,
>
> In our local school we have two servers and roughly 80 clients. The
> network is 192.168.10.0/255.255.255.0, and DHCP+DNS is managed by
> Dnsmasq.
>
> School PCs (teachers and management) are registered via MAC address and
> get an IP address in a specific range:
<snip>
> If a client (like a student's laptop, tablet or smartphone) is not
> registered, it gets an IP address in the range between 192.168.10.100 and
> 192.168.10.200.
>
> Up until recently I've been using a combination of Squid and Squidguard to
> filter Internet access.
>
> This year the school's director wants to completely block Internet access
> for all the student's personal devices.
<snip>
If nixspam doesn't gag me again - tried to respond yesterday.

Put anyone whose MAC address isn't registered on a different subnet, like
192.168.11.x, and give your router no route to 9.0.9.9, only to the
internal.

As a response to someone else's cmts, the set of kids who knows how
they're being blocked is a small subset of all kids, and those who know
that a MAC address can be forged is a small subset of the previous. And
*then* they'd have to find out a valid MAC address.

On top of that, it would seem to me that the ones for whom you have a
registered MAC address is either hardwired, and so on, permanently, or the
teachers and staff are in before the students, mostly, and so when a
student tries to spoof the MAC, they get refused, since the real system
already has the IP address.

       mark

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]

  Powered by Linux