[CentOS] Block internet access for some users on the LAN ?

Bill Gee bgee at campercaver.net
Tue Sep 19 15:17:35 UTC 2017 

> School PCs (teachers and management) are registered via MAC address and get
> an IP address in a specific range:
 
> 192.168.10.2 - 192.168.10.50 - management + teachers
> 
> 192.168.10.201 - 192.168.10.220 - computer room
> 
> 192.168.10.246 - 192.168.10.247 - printers
> 
> 192.168.10.251 - 192.168.10.253 - wireless access points
> 
> If a client (like a student's laptop, tablet or smartphone) is not
> registered, it gets an IP address in the range between 192.168.10.100 and
> 192.168.10.200.
 
> Up until recently I've been using a combination of Squid and Squidguard to
> filter Internet access.
 
> This year the school's director wants to completely block Internet access
> for all the student's personal devices.
 
> The Linux server acts as a transparent gateway. Unfortunately with Squid I
> can only filter/block HTTP connections, but not HTTPS (well, I could, but
> this is way too complicated to setup).
 
> The firewall is managed by a simple Iptables script. Now I *think* the
> easiest way to block a certain IP range from Internet access would be
> through Iptables (correct me if I'm wrong). If this is the case, what would
> that look like?

It seems to me you could accomplish some of this by using 802.1x switch port 
security.  Set up an OpenRADIUS server, configure the network switch ports, 
then put a key on each workstation - especially those whose physical Ethernet 
jack could be unplugged by a student.  If someone does try to plug their 
device into the network, it not only won't get an address - it won't even get 
an open port!

Someone commented that using static IP addresses can be worked around pretty 
easily.  I agree ...  It is just a form of security by obscurity, and we all 
know that really means no security at all.  

There would be some effort to get the key onto the authorized workstations, 
but once there it would not need anything further.  It could also be 
incorporated into the base coreloads.  There is also some effort to reprogram 
the switch ports - also a one-time task.

The WiFi segment should be protected by a WPA2 password.

Bill Gee

More information about the CentOS mailing list