Topic: Help! My users are using e-smith TOO MUCH!

[cryblood]

An unfortunate incident here in my computer castle!

The Users are enjoying unfettered access to the internet to the point that (according to the boss) "Work has come to a screeching hault!.. And you gotta fix it!" (meaning me, that is)

so,  with tears in my eyes, I was about to shut down my beloved e-smith communicatioins server thus severing Internet access for all of the little people out there in cubicle land who were too busy looking at "gosh knows what" to finish the simple tasks for which they earn their stipend.  Just as I was about to hit the button, the boss handed me a list of people and web addresses and said "This is the sights that I want these people to be able to see.  Everyone else needs their Internet access!"  

He seems to be serious.

can anyone help me? Is there a way to limit certian users to just a hand full of sights and still have the few lucky people be able to have full access to the Internet?  I sure hope so, the boss wants it done today!  (I think I can avoid him for a couple of days, but after that, I'll need to come up with SOME sort of solution)

p.s. Answers in Haiku form would be enjoyed, but probably not understood.  

[cryblood]

Sorry about the double post, I'm not sure why that happened.

[Walter Padgett]

The answer lies in squid. How? I don't know but that's what I've been told. I've read documentation that supports that statement but as to how to implement it, I'm still struggling with that.

I hope that provides some direction for you.

Wally

wallyrp or wallywrk in #linuxhelp on the Undernet

[Peter Enoch]

An unfortunate incident here in my computer castle!

The Users are enjoying unfettered access to the internet to the point that (according to the boss) "Work has come to a screeching hault!.. And you gotta fix it!" (meaning me, that is)
lucky you

so, with tears in my eyes, I was about to shut down my beloved e-smith communicatioins server thus severing Internet access for all of the little people out there in cubicle land who were too busy looking at "gosh knows what" to finish the simple tasks for which they earn their stipend. Just as I was about to hit the button, the boss handed me a list of people and web addresses and said "This is the sights that I want these people to be able to see. Everyone else needs their Internet access!"

There is a way.....

I believe that your users is using DHCP to get there IP-information and so ?. If this is true then you can setup DHCP to give the same infomation to some people (the ones that can go anywhere). Like this:

User joe > get info from DHCP, DHCP sees joe MAC addresse and give him the ip adresse and other info. that your have put in the DHCP.conf. Lets say that joe every time he starts his OS gets ip: 192.168.0.2.

Then you can limit the people that can have access to the Internet via ipchains, a firewall program:

ipchains -A forward -s 192.168.0.2/32 -d 0/0 -eth? -j MASQ
Now joe is connected to the Internet.

The users that you wants to have limit access to the Internet give them a 10.0.0.? address via the DHCP and append this to ipchains:

ipchains -A forward -s 10.0.0.0/MASK -d www.site.com 80 - eth? -j MASQ
ipchains -A forward -s 10.0.0.0/MASK -d www.othersite.com 80 - eth? -j MASQ

Then they will only have access to those sites. Remember to give your e-smith box one more ip adress: 10.0.0.1 and make it the gateway for your 10.0.0.0 net.

you can also your squid proxy cache.....

[cryblood]

Here's an update to the saga.

I appriciate the tips given by you all!  you guys are great!

According to Microsoft boy (boss) that last suggestion by Peter Enoch would segment the lan and cause problems with the snooping that the Head cheese (The guy above Microsoft boy) likes to do to make sure the users aren't spending too much time doing stuff like playing games etc. SO... that exactly isn't gonna get approved; however, it gives me a place to start looking.  I'm gonna read up on ipchains and see if I can figure out a way to set it up to give static IPs (easily enough done) to the people who need access and specifically allow those IPs access then disallow all the rest.  I really haven't had time to start looking yet to know if I am babbling or if that's possible.  In case it matters, DHCP is handled by two NT boxes here (a PDC and a BDC).  

Sometimes I wonder if somehow personell forgot to issue me a stick when I started working here, everyone else seems to have one shoved up there... well... you know.

PS... Does anyone know where to get in depth information on how ipchains works and how to configure it?  The only thing I've found so far is the HOWTO on LDP.  I will start with that and hopefully it will be enough.

[Charlie Brady]

cryblood wrote:

> can anyone help me? Is there a way to limit certian users to
> just a hand full of sights and still have the few lucky people
> be able to have full access to the Internet?  I sure hope so,
> the boss wants it done today!

What you want it is just about possible, but not at all easy.

The first thing that you need to do is block "direct" (i.e. masqueraded) access to the port 80. This will force the users to use squid. You'll need to change the ipchains rules to do that.

There are a few things that you can do with squid. Firstly, you
can require users to authenticate themselves. To do that you need to obtain or write a small program to read a username/password pair and then say yes or no, and you need to
change the squid config to enable the authentication. This
might be enough for your boss - "We know who you are and what you are up to!".

You can also use a redirector program to remap all URLs except the "good" ones to a local "Sorry, Dave!" page.

As far as I can tell, there isn't a way to co-ordinate the
authenticator and the redirector, to make it a transparent for some, but not others. Perhaps you'll find a way.....

Charlie

[Charlie Brady]

Charlie Brady wrote:


> As far as I can tell, there isn't a way to co-ordinate the
> authenticator and the redirector, to make it a transparent for
> some, but not others...

Well, I'm not sure that is a completely accurate statement now.
If you look in /usr/doc/squid*/Release-Notes-1.1.txt you'll see
that the input format for the redirector program includes the client IP address. So you can redirect to the "Sorry" page for some IPs, but redirect back to the actual requested URL for other IPs.

What I'm not sure about is whether there is any way of matching an authenticated user against a specific IP, so that you can discriminate by user, and not by IP.

Anyway, over to you, and I hope you get it done before your boss sacks you (*).

Charlie

(*) You will of course use perl.

[cryblood]

I'd really LOVE to use perl for all this except for the simple fact that I am still a student of the force and haven't yet learned the jedi perl trick!  Not to mention my "Yoda" (read: "The community college I attend") doesn't offer a course in perl!  (whaaa!!!!)

so... If you have any suggestions as to a good "learn it yourself" type book, it would be greatly appriciated.  I typically learn best by example esp. when the example includes the whole of the code instead of just snippits.  The crummy book used in my basic java class was full of snippits with nary a page with a fully working program. (I looked) and I had a heck of a time figuring out how it all fit togeather! (I did manage an A though)

Anyway... I ramble...

Thanx for the Help, I'll definately look at the squid release notes and let you know how I get along.  I am also looking into using ipchains and just not allowing trafic for any but the most approved of sights!

[Charlie Brady]

cryblood wrote:

> I'd really LOVE to use perl for all this

I mentioned perl because "get the job done before the boss sacks you" is exactly what it is for. I can't remember exactly where the quote comes from, though.

> so... If you have any suggestions as to a good "learn it
> yourself" type book, it would be greatly appriciated.

I don't think you can go past the O'Reilly camel book "Programming perl". The llama book "Learning perl" might be a little easier to get started with. Go have a poke around perl.oreilly.com anyway. The thing about the orielly books is that they are fun to read as well as having good content.

Charlie

[cryblood]

Thanx!  I'll be sure to pick one of the O'Reilly books up soon!  I am currently tackling "C" (in a college class that is) so I'm not sure how much brain I'll have left over for perl right now, but you never know, and I'm told it's not really a very hard language to pick up.

[Charlie Brady]

cryblood wrote:

> Thanx!  I'll be sure to pick one of the O'Reilly books up
> soon! I am currently tackling "C" (in a college class that
> is) so I'm not sure how much brain I'll have left over for
> perl right now, but you never know, and I'm told it's not
> really a very hard language to pick up.

That's a bit like saying English isn't really a hard language to pick up - depends whether you want to be able to read a racing guide or be the next Shakespeare!

I suspect that if you learnt perl you'd rarely feel the need to program in C any more.

Have fun anyway.

Charlie