Chase, Brian E. wrote: > The way to do this is with ACL's. Access Control Lists > IPtables can perform this function, or an internet gateway router can also > be used. > The ISR 4000 Series Cisco router family is where I would start, especially > if you're in the need for a blade server in the same chassis. > > -----Original Message----- > From: CentOS [mailto:centos-bounces at centos.org] On Behalf Of Nicolas > Kovacs > Sent: Monday, September 18, 2017 1:04 PM > To: Centos Mailing List > Subject: [CentOS] Block internet access for some users on the LAN ? > > Hi, > > In our local school we have two servers and roughly 80 clients. The > network is 192.168.10.0/255.255.255.0, and DHCP+DNS is managed by > Dnsmasq. > > School PCs (teachers and management) are registered via MAC address and > get an IP address in a specific range: <snip> > If a client (like a student's laptop, tablet or smartphone) is not > registered, it gets an IP address in the range between 192.168.10.100 and > 192.168.10.200. > > Up until recently I've been using a combination of Squid and Squidguard to > filter Internet access. > > This year the school's director wants to completely block Internet access > for all the student's personal devices. <snip> If nixspam doesn't gag me again - tried to respond yesterday. Put anyone whose MAC address isn't registered on a different subnet, like 192.168.11.x, and give your router no route to 9.0.9.9, only to the internal. As a response to someone else's cmts, the set of kids who knows how they're being blocked is a small subset of all kids, and those who know that a MAC address can be forged is a small subset of the previous. And *then* they'd have to find out a valid MAC address. On top of that, it would seem to me that the ones for whom you have a registered MAC address is either hardwired, and so on, permanently, or the teachers and staff are in before the students, mostly, and so when a student tries to spoof the MAC, they get refused, since the real system already has the IP address. mark