Topic: Restricting Internet access

[mheymann]

I have an SME 7.3 server which is running great
(and thanks to some very helpful users here I have recently
installed SARG and the early results are great. Thanks for the Help)

My need today is that we also have several system at our location
that are on a token ring network which will be converted from the
TR network to the ethernet network (cable is currently being strung)

The issue is the, on the TR network these systems did not have access
to the Internet and would like to continue this setup
I was thinking a configuration something along the lines of

Server is in "server/gateway mode"
Public IP address 1.1.1.1
LAN IP address  192.168.240.x 
Subnet mask 255.255.255.0
Network A DHCP range  192.168.240.65/250
Network B DHCP range  192.168.250.65/250

Using something alog the lines of hosts allow or deny
or some iptable configuration to allow external network to
Network A and only internal access to Network B

A couple of question I have thought of that pertain

1. Can this be done with just 2 NICs (being in server/gateway mode) or is 3 needed

2. If 3 cards are needed (1 external and 2 internal) can the 2 internal cards
    coexist on the same cable backbone or do they need to be seperate with
    NIC A connected to Network A and NIC B connected to Network B with no
    interaction or communication between the to with the exception of the
    SME server being a bridge

3.  If I can use only 2 card or have the 2nd and 3rd card both plug into the same hub
    How do does a system know which IP address to use

An ideal solution would allow all system to be on the same cable network and when
Person A logs onto System A they have a 192.168.240.X address and has Internet access
Person B logs onto System B they have a 192.168.250.X address and does not have Internet access

Thanks again for any help you can provide.

Mike

[mmccarn]

It's pretty hard to setup a DHCP server that will feed two different IP address ranges on the same network, but you don't really need to.

If the old Token Ring hosts can be on the same subnet as your regular network, you could:

1) Create a 'Host' entry for each converted token-ring system by MAC address on  your SME server, assigning IPs in a continuous range
2) Use http://wiki.contribs.org/Firewall#Block_outgoing_ports to block all out-bound traffic from the range of hosts you want blocked
3) Use config setprop squid DenyHosts to block access to Squid from the blocked hosts (I'm unsure whether this does what we want or not - this step needs testing!)

You could also put all of your old Token Ring systems on a network behind a cheap Linksys router - then just block the "WAN" IP of the Linksys from your SME, or just deny all out-bound traffic from the Linksys LAN to the SME server.  This configuration allows the token ring systems to "see" anything on the LAN except the SME server; since they can't see the SME server, they can't get to the Internet.

Code: [Select]

Internet
    |
SME_Server
    |
    |-----existing LAN
    |
CheapLinksys
    |
    +-----Old_Token_Ring_Systems


[Tib]

mheymann

Question: Is there any reason that you need two different DHCP ranges?

Do you have that many machines that you require this or is this the way you want to do it to block those PC's ?

There are two contribs here somewhere that can probably help you if you don't have too many machines:

1st: blocks all traffic from the internet ... not the server though ... and you can choose the PC's that you want to allow internet access.

2nd: Blocks only PC's from the net that you specify and allows all other pc's ... also allows internal mail .. I used this at my old work ... very handy ... I think this one is called smeserver-squidproperties-1.0.0-01.noarch.rpm ... if you can't find it I can e-mail you the contrib and you can try it.

The the one I can't remember who has it but it is around somewhere ... I have seen it recently .. I'll keep my eyes open.

Regards,

Tib