Topic: Block internet access

[glowthian]

Is there any way to block internet access for selected IP's
I tried ipblock but it blocks everything DHCP and DNS included, all I want to do is keep some IP's off the net    with out having to but a device to do it with.

[cjensen]

glowthian,

This may or may not be applicable to your network configuration but Damien Curtain has a contrib called:
e-smith-proxy-auth (http://www.pagefault.org/download/rpms/RPMS/noarch/e-smith-proxy-auth-0.0.1-01dc.noarch.rpm).  From this packages changelog:

---------------------------------------
Name        : e-smith-proxy-auth           Relocations: (not relocatable)
Version     : 0.0.1                             Vendor: (none)
Release     : 01dc                          Build Date: Sun Aug 18 03:05:33 2002
Install Date: (not installed)               Build Host: pusscat.pagefault.org
Group       : Networking/Daemons            Source RPM: (none)
Size        : 10849                            License: GPL
Signature   : (none)
Packager    : Damien Curtain
Summary     : sme server and gateway - proxy auth module
Description :
sme server and gateway software - proxy auth module

Enables proxy authentication with sme. Combined with transparent
proxying this module with ensure users browsing external web sites
are first authenticated via the sme server.

------------------------------------------
A server-manager panel is added allowing restriction of each user and authentication of each user before access is allowed.


Craig Jensen

[bobk]

Abe Loveless at tech-geeks.org has a contrib that does what you want.

See the ReadMe here http://www.tech-geeks.org/contrib/loveless/SMEServer/contribs/ipblock_inet/readme.txt

Download RPMs from here http://www.tech-geeks.org/contrib/loveless/SMEServer/contribs/ipblock_inet/beta/

[tas]

glowthian

I have found Squidguard to be good for this purpose, and there is an SME customised contrib at:
http://www.tech-geeks.org/servers/sme/squidGuard/squidguard3.2.tar.gz

This contrib has a Server-Manager panel for "Content Filtering" that enables adding Trusted or Untrusted (blocked) domains, Restricting or Gant Full Access for internal IP addresses and automatic updating from Squidguard (or other) Blacklist listings.

I have operated this contrib in SME 5.6 and currently on SME 6.0.1-01 for 2 months.

Regards
tas

[glowthian]

I was hoping for a solution that I could selective block IP's from internet access but allow internal access. On this network the SME box is the only DHCP and DNS server
on the network but is also an IPSEC server to two other remote networks so if I have to put in a dedicated firewall to block IP's I'll have to change all three.
IP Block blocks all access including DNS and DHCP from itself. SquidGuard only does content filtering or at least that’s all I can get it to do.


Thanks

[KelvinLee]

Hi Glowthian,

If all you want to do is stop web browsing, in the past I've done this by creating a custom template for squid.conf and putting in entries for IP Addresses that have access (as I have less machines that are allowed access than machines that are not allowed). You could also reverse it and allow all but the listed IPs.

If you also want to stop all other access like FTP, etc., then this is not for you.

Kelvin

[loveless]

This thread prompted me to do a little more research.  I found this in the squid config docs: ( http://squid.visolve.com/squid/squid24s1/access_controls.htm#ex2 )

2) To restrict access to work hours (9am - 5pm, Monday to Friday) from IP 192.168.2/24

acl ip_acl src 192.168.2.0/24
acl time_acl time M T W H F 9:00-17:00
http_access allow ip_acl time_acl
http_access deny all

So, from this example we should be able to just create an ACL, then deny http_access for that group.  If I get a chance, I'll try to wrap this up in a contrib... probably end up as a new version of my squidProperties contrib.

[loveless]

If I get a chance, I'll try to wrap this up in a contrib... probably end up as a new version of my squidProperties contrib.

Here it is:
http://www.tech-geeks.org/contrib/loveless/SMEServer/contribs/squidProperties/

I also started another thread on this forum.  Please send my any feedback on the new thread.  

Thanks.

[nb69]

Just curious to know if anyone has proxyauth working on SME 6/6.01 ?

thx

[shanen]

Yes it works as expected on 6/6.01

[g00s3m4n]

look at this:

http://forums.contribs.org/index.php?topic=25168.msg106437#msg106437

[ryan]

glowthain,

If your dealing with a small LAN and you have administrative control over these systems, XP has gpedit.msc that allows you to set the proxy server..make it bogus and also set gpedit.msc to not allow the proxy server to be changed.  This will prevent IE/Outlook from surfing the web, but you have to do it on all systems if you don't use Active Directory.  

Also, Firefox uses it's own proxy settings which will allow an easy bypass of the gpedit.msc settings...but users can't install FireFox if they are normal users.  

You can also configure a gnome environment to lock in a bogus/bad proxy, for applications that use the gnome settings...firfox does not.  

Keep in mind if these are Windows systems, they need direct internet access for windows update...which does not use system proxy settings either.

good luck

ryan

[aussie]

This thread prompted me to do a little more research.  I found this in the squid config docs: ( http://squid.visolve.com/squid/squid24s1/access_controls.htm#ex2 )

2) To restrict access to work hours (9am - 5pm, Monday to Friday) from IP 192.168.2/24

acl ip_acl src 192.168.2.0/24
acl time_acl time M T W H F 9:00-17:00
http_access allow ip_acl time_acl
http_access deny all

So, from this example we should be able to just create an ACL, then deny http_access for that group.  If I get a chance, I'll try to wrap this up in a contrib... probably end up as a new version of my squidProperties contrib.

Hi Abe,
Seeing this post I looked at your squid reference and THINK I understand acl definition and http_access.
With the following, the last is never checked as 1 is TRUE or 2 is TRUE -
http_access allow xyz morning
http_access deny xyz
http_access allow xyz lunch

When I look at squid.conf (6.01) and see the first 2 http_access as
http_access allow manager localsrc
http_access deny manager

So if I add a line
acl baraccess src IP.A IP.B
and a new 1st http_access
http_access deny baraccess
I have what I need (& alter config file to make it permanent):
is it that simple or have I missed something
TIA Robert

[icemannz]

Hi, just a quick thought.
Have you considered giving the PC's you don't want access to the internet the wrong Gateway address.
Very simplistic but it would stop access and if the address is supplied by a DHCP reservasion, easy to turn back on again.

[aussie]

Hi, just a quick thought.
Have you considered giving the PC's you don't want access to the internet the wrong Gateway address.
Very simplistic but it would stop access and if the address is supplied by a DHCP reservasion, easy to turn back on again.

GREAT IDEA!   Sadly we fix IPs so no DHCP.

By the way I ended up simply editing /etc/squid/conf and amending the acl localsrc src and acl localdst dst
to be my access list instead of the full LAN

THIS WORKED, so to make it permanent
I edited the /etc/e-smith/templates/etc/squid/squid.conf files...

1. 20ACL10localhost adding two lines to the end
    acl localsrcx src {list of IPs to allow)
    acl localdstx dst {list of IPs to allow)

2. edit the following to refer to localsrcx and localdstx rather than the original localsrc and localdst without the 'x'...
    40http_access00manager
    40http_access75AllowLocal
    80always_direct80default

(this leaves the original localsrc and localdst to re-generate with any changes in the remote networks,
and preserves my 'x' version regardless of configuration changes)

Thanks to all - good forum eh folks
  Rob