[CentOS] Block internet access for some users on the LAN ?

m.roth at 5-cent.us m.roth at 5-cent.us
Tue Sep 19 15:39:10 UTC 2017 

Chase, Brian E. wrote:
> The way to do this is with ACL's.  Access Control Lists
> IPtables can perform this function, or an internet gateway router can also
> be used.
> The ISR 4000 Series Cisco router family is where I would start, especially
> if you're in the need for a blade server in the same chassis.
>
> -----Original Message-----
> From: CentOS [mailto:centos-bounces at centos.org] On Behalf Of Nicolas
> Kovacs
> Sent: Monday, September 18, 2017 1:04 PM
> To: Centos Mailing List
> Subject: [CentOS] Block internet access for some users on the LAN ?
>
> Hi,
>
> In our local school we have two servers and roughly 80 clients. The
> network is 192.168.10.0/255.255.255.0, and DHCP+DNS is managed by
> Dnsmasq.
>
> School PCs (teachers and management) are registered via MAC address and
> get an IP address in a specific range:
<snip>
> If a client (like a student's laptop, tablet or smartphone) is not
> registered, it gets an IP address in the range between 192.168.10.100 and
> 192.168.10.200.
>
> Up until recently I've been using a combination of Squid and Squidguard to
> filter Internet access.
>
> This year the school's director wants to completely block Internet access
> for all the student's personal devices.
<snip>
If nixspam doesn't gag me again - tried to respond yesterday.

Put anyone whose MAC address isn't registered on a different subnet, like
192.168.11.x, and give your router no route to 9.0.9.9, only to the
internal.

As a response to someone else's cmts, the set of kids who knows how
they're being blocked is a small subset of all kids, and those who know
that a MAC address can be forged is a small subset of the previous. And
*then* they'd have to find out a valid MAC address.

On top of that, it would seem to me that the ones for whom you have a
registered MAC address is either hardwired, and so on, permanently, or the
teachers and staff are in before the students, mostly, and so when a
student tries to spoof the MAC, they get refused, since the real system
already has the IP address.

       mark

More information about the CentOS mailing list