Topic: Mac Adres / Ip Chains

[Arno]

Ey guys,

I working on a project for school!
we need 2 make a whole network for our school!
ill spare u the details,
anyway we gonna use a linux sme svr as router/gateway.

in our project , teachers need 2 close the internet for each classroom!
so when a class dont have permsion to use internet he need 2 close it down!

What i wanna do
only i dont know how...

I wanna make a little intra net site
where the teacher sees all the ethernet cards,
he can close the connection down for each card.
i wanna close it down via the macadres.

i hope u guys understand my point
anyway i wanna know how i can do this.
Thx for the help
and sorry for my bad english

[RayG]

Read the man page for ipchains (for SME 5.5) or iptables (for SME 5.6 or 6) to get an idea of the command structure. There is a way to block traffic based on MAC address. I see a LOT of potential problems with this method.

Another way might be to use the host names and addresses panel to assign quasi-static IP addresses through DHCP based on MAC address. Then use squidguard or dansguardian to block IP's. You could use these packages to set up "groups" that include all the IP's for a particular classroom and disable or enable internet access for the whole class with a single click.

[Arno]

but
,

when u give them a static ip, they can change it to another 1 right?

[RayG]

I suppose that depends on your operating system. Regular users cannot change their ip in Win2K and WinXP. I don't remember if that's an option or not in Win98.

If they can change the IP, then they can change the MAC address too.

[Doug M.]

Useing the dhcp option of "deny unknown-clients" you can allow only authorized clients to connect. Further more you base the connection on the MAC address.

Add this to your /etc/dhcpd.conf  each host will have to be entered and you can make a custom template to make sure it's active every time. If you do do not care to assign each ip address just drop the "fixed address" option and dhcpd will assign the address.
--------

deny unknown-clients;

        host Computer1 {                                        
                hardware ethernet xx:xx:xx:xx:xx:xx ;
                fixed-address 192.168.1.9 ;
        }
--------

Note: Once the client has connected it will not be able to be dropped unless the client is reset. To deny access to the internet


Blocking outbound traffic by MAC address you can use the following iptables rule.
-----
      Block internet access:
/sbin/iptables -A PREROUTING -t nat -j DROP -m mac --mac-source xx:xx:xx:xx:xx:xx

      Un-Block internet access:
/sbin/iptables -A PREROUTING -t nat -j DROP -m mac --mac-source xx:xx:xx:xx:xx:xx

My disclaimer. I use these methods on my own home network as a simple way to controll my childrens internet access time. I can cannot guarentee they will work for you. If you would like more specific examples of my config files please drop me a note via email.

[Doug M.]

Ooops, correction.

Un-Block internet access:
/sbin/iptables -D PREROUTING -t nat -j DROP -m mac --mac-source xx:xx:xx:xx:xx:xx