Topic: How do I block Users by IP address

[Tib]

Hello all,

I've done some searching on this and I can't seem to find what I'm looking for.

ON SME6 I used to use ... Proxy User ... to block IP address from accessing the internet.

This contrib doesn't work on SME7 so my question is what can I do to block IP address from internet access.

Our setup is ... WIN2000 server PDC ... sme server setup in server/gateway.

Now not all users have an account on the mail server (SME7) and I really don't want to set them up either.

There a lot of machines that are basically just terminals and do not have virus or firwall controll so we require these PC's to be blocked.

Looking at the old squid.conf there are entries like ...

acl block_ip src 192.168.0.50/32 ... for example and further down
http_access deny block_ip

Will this work in SME7 if I setup a custom template to enter these into squid.conf.

I don't have a test server in server/gateway mode to test this.

Any thoughts would be great.

Regards,

Tib

[Tib]

OK looks like no one knew the answer ... so I was forced to test on my production server.

All works as I thought.

For those ppl that want something like this I did the following

Created custom-templates ... entered the relevant information into the templates expanded the template and re-started squid.

Steps

mkdir -p /etc/e-smith/templates-custom/etc/squid/squid.conf

Then create 2 files ...

I called my first template  ... 20ACL40blockip ... and entered the following as an example

Code: [Select]


#---------------------------------------
# ACL Statments for Blocked IPs
#---------------------------------------
acl block_ip src 192.168.0.102/32
acl block_ip src 192.168.0.50/32

You can enter as many IP's as you require

Then the second template ... 40http_access30denyblockip ... and entered the following

Code: [Select]


#-----------------------------
# Block Specified IP Addresses
#-----------------------------
http_access deny block_ip


Expand the tamplate ...

Code: [Select]

/sbin/e-smith/expand-template /etc/squid/squid.conf

Re-start squid ...

Code: [Select]

/etc/rc7.d/S90squid restart

give it a few cesonds and all should be good.

I am going to do this a different way later ... going to block everyone ... then allow only those IP address that are required ... that way no matter who connects into the network they will have no access to the internet unless allowed.

Regards,

Tib

[mchrobak]

I've used this method and it works fine to block IP addresses from the LAN to access web pages (ie protocols squid acts as a proxy for) but does not block other traffic, like messengers, pop3 and so on.
Are there any suggestions/contribs for doing this without having to blobk port by port TCP traffic?
There is a contrib that blocks all traffic by IP, but it also blocks local computers from accesing the very SME server. I want LAN users to have access tu webpages and webmail on my server, but no acces to external web pages and services like ICQ, MSNMSG and so...

ANY HELP??

Thanks  

[Calimenio]

Thanks, this really helps me as a start point, but i did it to allow some IP to get access.

[stephen noble]

work in progress
http://wiki.contribs.org/Firewall#Block_outgoing_ports
and related bug

[idp_qbn]

Consider using IPCOP as a Firewall/gateway, with its add-ins to manage user access. I use Advanced Proxy (http://www.advproxy.net/) and Update Accelerator (http://update-accelerator.advproxy.net/add-ins. The Update one caches MS updates l(and others) ocally so that, as the multitude of Windows PCS on your internal network ask for Windows updates, they come from a local source...save bandwidth and time.

IPCOP (or Smoothwall, closely related) run very well on lower spec systems. A 1GHz PIII / 512 Mb Ram / 40Gb HDD has been running for me for so long I can't remember when I put it in place.

Use your SME box as the mail server - reliable and proven - and RAID1 works beautifully!

Cheers
Ian