Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: Nicholaus on October 01, 2003, 02:44:40 AM

Title: Block one IP
Post by: Nicholaus on October 01, 2003, 02:44:40 AM

I´m using SME 5.0  and I need to block IP 192.168.0.10 to deny access to ALL internet, but not to block internal use of the network.

Please, anybody can help me?

Regards
Niki

Title: Re: Block one IP
Post by: ryan on October 01, 2003, 05:00:04 AM

If your client is 2k or XP pro. you can configure group policy to force that machine to use an unchangeable proxy server...then put in a bogus computer name or bogus IP address for the proxy server setting.  This assumes the user of the computer is not an administrator.   You can also deny the use of application iexplore.exe which will give an error when they try to lauch IE.  

I am a net admin for a state agency and use this on 2k and XP machines that have been banned from internet usage.  

I am sure you can also edit a file on SME to accomplish this as well since you can basically make linux do anything you want if your willing to research and learn it.  

good luck,

ryan

Title: Re: Block one IP
Post by: Byte on October 01, 2003, 05:54:14 PM

Or you could use IPCHAINS or If you use squid you could use ACL's

Title: Re: Block one IP
Post by: Nicholaus on October 01, 2003, 05:58:39 PM

Byte wrote:
>
> Or you could use IPCHAINS or If you use squid you could use
> ACL's

Please, do you have a command example to block IP 192.168.0.10 with ipchains?

REgards
Niki

Title: Re: Block one IP
Post by: Byte on October 01, 2003, 07:27:58 PM

Ok here is a example...

Step1:
At command prompt type

mkdir –p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq

cd /etc/e-smith/templates-custom/etc/rc.d/init.d/masq

Step2:

cp /etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowLocal  /etc/e-smith/templates-custom/etc/rc.d/init.d/masq (all one line)

Step3:

Now edit the 40AllowLocal in the templates-custom folder to look like so...

{

    foreach my $local (@locals)

    {

        $OUT .= "    /sbin/ipchains --append forward -s $primaryLocalNet ";

        $OUT .= "-d $local -j ACCEPT\n";

        $OUT .= "    /sbin/ipchains --append forward -s $local ";

        $OUT .= "-d $primaryLocalNet -j ACCEPT\n";

        $OUT .= "    /sbin/ipchains --append input -s $local ";

        $OUT .= "-d 0/0 -j ACCEPT\n";

        $OUT .= "    /sbin/ipchains --append output –i eth1 -d 0/0";

        $OUT .= "-s 192.168.1.70 -j DENY\n";

        $OUT .= "    /sbin/ipchains --append output -d $local ";

        $OUT .= "-s 0/0 -j ACCEPT\n";

    }

}


so the added lines above are...

     $OUT .= "    /sbin/ipchains --append output –i eth1 -d 0/0";

     $OUT .= "-s 192.168.1.70 -j DENY\n";


and what that is saying anything going to eth1 (which is our Http access) is allowing all network but denying the 192.168.1.70 address to access the internet


Step:4

Now just expand template and restart

/sbin/e-smith/expand-template /etc/rc.d/init.d/masq

/etc/init.d/masq restart


Step:5

All should be good


Hope this guides you we have used this in the past to great effect

Byte