Koozali.org: home of the SME Server

Legacy Forums => General Discussion (Legacy) => Topic started by: DBLF on February 14, 2004, 03:30:24 AM

Title: Simple question
Post by: DBLF on February 14, 2004, 03:30:24 AM

It's possible to allow/deny to internet computers in local area network via MAC adress ?
And how ?

Thx
DBLF

Title: Good question
Post by: RobertS on February 14, 2004, 02:16:05 PM

I searching the answer of this question too, adn i DO NOT find it.
Then its very important to can control network routine and sme server haven't any tools to do it !!
Of course i can use proxy IP manager, but user can type "on hand" some other IP i try connect without proxy !!

Anyone have propositions how to control it ?

Robert

Title: Simple question
Post by: matsk on February 14, 2004, 07:33:58 PM

Not "by MAC" but "by IP".

Check:
http://vanhees.homeip.net/modules.php?op=modload&name=Downloads&file=index&req=viewdownloaddetails&lid=136&ttitle=e-smith-squid-restrict-ip-0.1-1.noarch.rpm


If the squid in the SMEserver is compiled with --enable-arp-acl the you can use MAC's to allow/block access to internet. But I don't know how to check this !


/Mats

Title: Simple question
Post by: Rigger on February 14, 2004, 08:25:31 PM

First you need to solve (for the most part) the problem of users spoofing their mac address. For the most part you can do this by adding the "deny unknown-clients;" option to your dhcpd.conf. If they know a another known client mac address they could in theory spoof that address and get access.

Quote

mkdir -p /etc/e-smith/templates-custom/etc/dhcpd.conf

echo "    deny unknown-clients;" > /etc/e-smith/templates-custom/etc/dhcpd.conf/25DenyUnknownHost

Next in your server manager go to the "Hostnames and addresses" panel and "Add Hostnames". Add all the hosts you want to allow. The plus part of this is that you assign the IP address. With the IP address assigned you can used the mod suggested by matsk since you now have each host assigned to a specific IP address.

Quote

matsk Posted: 14 Feb 2004 09:33    Post subject:  

--------------------------------------------------------------------------------
 
Not "by MAC" but "by IP".

http://vanhees.homeip.net/modules.php?op=modload&name=Downloads&file=index&req=viewdownloaddetails&lid=136&ttitle=e-smith-squid-restrict-ip-0.1-1.noarch.rpm


/Mats

Optionally in stead of e-smith-squid-restrict-ip-0.1-1.noarch.rpm you could just go the iptables route and drop and traffic for a specific mac address.

Quote

iptables -t nat -A PREROUTING -m mac --mac-source 00:00:00:00:00:DF -p ALL -j DROP

Note: This rule will drop all outbound traffic from this mac address; www, ftp, p-2-p, etc. No requests out and e-smith rules will already drop anything inbound that has not been "requested".

Personally I use this to restrict my kids web time. Each kid has their own computer with thier own password. A cron event turns on/off (iptables version) access for each system.

--
Doug M.
"Rigger"

Title: Simple question
Post by: Franco on March 03, 2005, 03:51:03 AM

Doug, Thanks for the tip. Two questions:
1- Can I use the squid-restrict rpm on SME 6?
2- After applying the rule above, how can I enable that machine access again?

Thanks,