Koozali.org: home of the SME Server
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. General Discussion (Legacy)
  4. Topic: Simple question
« previous next »
Pages: [1]   Go Down

Simple question

  • 4 Replies
  • 2775 Views

DBLF

Simple question
« on: February 14, 2004, 03:30:24 AM »
It's possible to allow/deny to internet computers in local area network via MAC adress ?
And how ?

Thx
DBLF
Logged

RobertS

Good question
« Reply #1 on: February 14, 2004, 02:16:05 PM »
I searching the answer of this question too, adn i DO NOT find it.
Then its very important to can control network routine and sme server haven't any tools to do it !!
Of course i can use proxy IP manager, but user can type "on hand" some other IP i try connect without proxy !!

Anyone have propositions how to control it ?

Robert
Logged

matsk

Simple question
« Reply #2 on: February 14, 2004, 07:33:58 PM »
Not "by MAC" but "by IP".

Check:
http://vanhees.homeip.net/modules.php?op=modload&name=Downloads&file=index&req=viewdownloaddetails&lid=136&ttitle=e-smith-squid-restrict-ip-0.1-1.noarch.rpm


If the squid in the SMEserver is compiled with --enable-arp-acl the you can use MAC's to allow/block access to internet. But I don't know how to check this !


/Mats
Logged

Offline Rigger

  • ****
  • 71
  • +0/-0
Simple question
« Reply #3 on: February 14, 2004, 08:25:31 PM »
First you need to solve (for the most part) the problem of users spoofing their mac address. For the most part you can do this by adding the "deny unknown-clients;" option to your dhcpd.conf. If they know a another known client mac address they could in theory spoof that address and get access.

Quote

mkdir -p /etc/e-smith/templates-custom/etc/dhcpd.conf

echo "    deny unknown-clients;" > /etc/e-smith/templates-custom/etc/dhcpd.conf/25DenyUnknownHost



Next in your server manager go to the "Hostnames and addresses" panel and "Add Hostnames". Add all the hosts you want to allow. The plus part of this is that you assign the IP address. With the IP address assigned you can used the mod suggested by matsk since you now have each host assigned to a specific IP address.


Quote
matsk Posted: 14 Feb 2004 09:33    Post subject:  

--------------------------------------------------------------------------------
 
Not "by MAC" but "by IP".

http://vanhees.homeip.net/modules.php?op=modload&name=Downloads&file=index&req=viewdownloaddetails&lid=136&ttitle=e-smith-squid-restrict-ip-0.1-1.noarch.rpm


/Mats


Optionally in stead of e-smith-squid-restrict-ip-0.1-1.noarch.rpm you could just go the iptables route and drop and traffic for a specific mac address.

Quote

iptables -t nat -A PREROUTING -m mac --mac-source 00:00:00:00:00:DF -p ALL -j DROP

Note: This rule will drop all outbound traffic from this mac address; www, ftp, p-2-p, etc. No requests out and e-smith rules will already drop anything inbound that has not been "requested".


Personally I use this to restrict my kids web time. Each kid has their own computer with thier own password. A cron event turns on/off (iptables version) access for each system.

--
Doug M.
"Rigger"
Logged

Offline Franco

  • *
  • 1,171
  • +0/-0
    • http://contribs.org
Simple question
« Reply #4 on: March 03, 2005, 03:51:03 AM »
Doug, Thanks for the tip. Two questions:
1- Can I use the squid-restrict rpm on SME 6?
2- After applying the rule above, how can I enable that machine access again?

Thanks,
Logged
Pages: [1]   Go Up
« previous next »
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. General Discussion (Legacy)
  4. Topic: Simple question