Block Internet Access For Some Users On The LAN?

Home » CentOS » Block Internet Access For Some Users On The LAN?
CentOS 4 Comments

In our local school we have two servers and roughly 80 clients. The network is 192.168.10.0/255.255.255.0, and DHCP+DNS is managed by Dnsmasq.

School PCs (teachers and management) are registered via MAC address and get an IP address in a specific range:

192.168.10.2 – 192.168.10.50 – management + teachers

192.168.10.201 – 192.168.10.220 – computer room

192.168.10.246 – 192.168.10.247 – printers

192.168.10.251 – 192.168.10.253 – wireless access points

If a client (like a student’s laptop, tablet or smartphone) is not registered, it gets an IP address in the range between 192.168.10.100
and 192.168.10.200.

Up until recently I’ve been using a combination of Squid and Squidguard to filter Internet access.

This year the school’s director wants to completely block Internet access for all the student’s personal devices.

The Linux server acts as a transparent gateway. Unfortunately with Squid I can only filter/block HTTP connections, but not HTTPS (well, I could, but this is way too complicated to setup).

The firewall is managed by a simple Iptables script. Now I *think* the easiest way to block a certain IP range from Internet access would be through Iptables (correct me if I’m wrong). If this is the case, what would that look like?

4 thoughts on - Block Internet Access For Some Users On The LAN?

  • MAC addresses can easily be forged, IP addresses can easily be changed, none of that is secure if its on the same network segment

    The student’s personal devices should be on a completely different
    ‘guest’ subnet, enforced by the wireless infrastructure, via use of a captive portal and/or WPA2-EAP authentication.     Presumably most of the schools infrastructure is on ethernet?  those ethernet connections should be kept physically secure so noone unauthorized can plug/unplug anything into the ethernet.

    THEN you’d use iptables to enforce access restrictions on this guest subnet.


    john r pierce, recycling bits in santa cruz

  • Iptables is a very reasonable way to do it, basically you decide what devices should have Internet access, create accept rules for them and then have a default deny for everything else.

    —– Original Message —–
    From: “Nicolas Kovacs”
    To: “CentOS”
    Sent: Monday, September 18, 2017 12:03:56 PM
    Subject: [CentOS] Block internet access for some users on the LAN ?

    Hi,

    In our local school we have two servers and roughly 80 clients. The network is 192.168.10.0/255.255.255.0, and DHCP+DNS is managed by Dnsmasq.

    School PCs (teachers and management) are registered via MAC address and get an IP address in a specific range:

    192.168.10.2 – 192.168.10.50 – management + teachers

    192.168.10.201 – 192.168.10.220 – computer room

    192.168.10.246 – 192.168.10.247 – printers

    192.168.10.251 – 192.168.10.253 – wireless access points

    If a client (like a student’s laptop, tablet or smartphone) is not registered, it gets an IP address in the range between 192.168.10.100
    and 192.168.10.200.

    Up until recently I’ve been using a combination of Squid and Squidguard to filter Internet access.

    This year the school’s director wants to completely block Internet access for all the student’s personal devices.

    The Linux server acts as a transparent gateway. Unfortunately with Squid I can only filter/block HTTP connections, but not HTTPS (well, I could, but this is way too complicated to setup).

    The firewall is managed by a simple Iptables script. Now I *think* the easiest way to block a certain IP range from Internet access would be through Iptables (correct me if I’m wrong). If this is the case, what would that look like?

    Any suggestions?

    Niki Kovacs


    Microlinux – Solutions informatiques durables
    7, place de l’église – 30730 Montpezat Web : http://www.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32

  • It would be extremely easy to, for example, try to get to the internet and fail .. look at my IP address and get my default gateway from my device (that I own) .. then try manually other network addresses until I
    find one that works (with the same gateway). That is, I can easily find the others segments (like the printers) and take a free address in that segment. Since the whole network is flat, It will let me out then.

    As John says .. if you want to isolate guest accounts, do it with a completely different network segment that is isolated from things you don’t want them to access. You can then setup rules unique to that network segment that they can’t forge (the gateway is the only way that segment can get out and all the rules are the same for any IP that will route from that segment).

  • While I agree with all this, keep in mind this is a school and the proposed solution may not be feasible financially or realistically (Can a student in the computer lab unplug an Ethernet connection and plug their device in? Are the teachers systems in the same room as students?) If it’s not then some lesser desirable but “better than nothing” solutions would be to get rid of DHCP and assign all static IPs (with just 80 systems this is possible though not desirable), change those IP ranges to just enough to meet the need for the specified systems and allow only IP addresses with a need for Internet access through the firewall. Is monitoring for defined system’s IP addresses going offline possible? A good analysis of needs may surface options. Do the teachers need Internet access during school hours (it is possible via cron to have time-based firewall rules). What about the computer lab? Without knowing the specifics these questions are unanswerable. And we have to keep in mind “relative security” – if they have an “evil genius” student on their hands there will be a way around the best security which can be put in place.

    —– Original Message —–
    From: “Johnny Hughes”
    To: “CentOS”
    Sent: Monday, September 18, 2017 12:42:34 PM
    Subject: Re: [CentOS] Block internet access for some users on the LAN ?

    It would be extremely easy to, for example, try to get to the internet and fail .. look at my IP address and get my default gateway from my device (that I own) .. then try manually other network addresses until I
    find one that works (with the same gateway). That is, I can easily find the others segments (like the printers) and take a free address in that segment. Since the whole network is flat, It will let me out then.

    As John says .. if you want to isolate guest accounts, do it with a completely different network segment that is isolated from things you don’t want them to access. You can then setup rules unique to that network segment that they can’t forge (the gateway is the only way that segment can get out and all the rules are the same for any IP that will route from that segment).

LEAVE A COMMENT