> School PCs (teachers and management) are registered via MAC address and get > an IP address in a specific range: > 192.168.10.2 - 192.168.10.50 - management + teachers > > 192.168.10.201 - 192.168.10.220 - computer room > > 192.168.10.246 - 192.168.10.247 - printers > > 192.168.10.251 - 192.168.10.253 - wireless access points > > If a client (like a student's laptop, tablet or smartphone) is not > registered, it gets an IP address in the range between 192.168.10.100 and > 192.168.10.200. > Up until recently I've been using a combination of Squid and Squidguard to > filter Internet access. > This year the school's director wants to completely block Internet access > for all the student's personal devices. > The Linux server acts as a transparent gateway. Unfortunately with Squid I > can only filter/block HTTP connections, but not HTTPS (well, I could, but > this is way too complicated to setup). > The firewall is managed by a simple Iptables script. Now I *think* the > easiest way to block a certain IP range from Internet access would be > through Iptables (correct me if I'm wrong). If this is the case, what would > that look like? It seems to me you could accomplish some of this by using 802.1x switch port security. Set up an OpenRADIUS server, configure the network switch ports, then put a key on each workstation - especially those whose physical Ethernet jack could be unplugged by a student. If someone does try to plug their device into the network, it not only won't get an address - it won't even get an open port! Someone commented that using static IP addresses can be worked around pretty easily. I agree ... It is just a form of security by obscurity, and we all know that really means no security at all. There would be some effort to get the key onto the authorized workstations, but once there it would not need anything further. It could also be incorporated into the base coreloads. There is also some effort to reprogram the switch ports - also a one-time task. The WiFi segment should be protected by a WPA2 password. Bill Gee