[CentOS] Block internet access for some users on the LAN ?

Mon Sep 18 17:42:34 UTC 2017
Johnny Hughes <johnny at centos.org>

On 09/18/2017 12:23 PM, John R Pierce wrote:
> On 9/18/2017 10:03 AM, Nicolas Kovacs wrote:
>> This year the school's director wants to completely block Internet
>> access for all the student's personal devices.
> 
> MAC addresses can easily be forged, IP addresses can easily be changed,
> none of that is secure if its on the same network segment
> 
> The student's personal devices should be on a completely different
> 'guest' subnet, enforced by the wireless infrastructure, via use of a
> captive portal and/or WPA2-EAP authentication.     Presumably most of
> the schools infrastructure is on ethernet?  those ethernet connections
> should be kept physically secure so noone unauthorized can plug/unplug
> anything into the ethernet.
> 
> THEN you'd use iptables to enforce access restrictions on this guest
> subnet.
> 
> 

It would be extremely easy to, for example, try to get to the internet
and fail .. look at my IP address and get my default gateway from my
device (that I own) .. then try manually other network addresses until I
find one that works (with the same gateway).  That is, I can easily find
the others segments (like the printers) and take a free address in that
segment.  Since the whole network is flat, It will let me out then.

As John says .. if you want to isolate guest accounts, do it with a
completely different network segment that is isolated from things you
don't want them to access.  You can then setup rules unique to that
network segment that they can't forge (the gateway is the only way that
segment can get out and all the rules are the same for any IP that will
route from that segment).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20170918/e287defd/attachment-0005.sig>