Koozali.org: home of the SME Server
Contribs.org Forums => General Discussion => Topic started by: kevincallan on March 02, 2018, 06:25:27 PM
-
I have some machines that I want connected to my local network but do not want to have internet access. I suppose I can manually assign the network parameters and leave the gateway empty but I thought maybe there may be a way to do this with the server settings to make setup easier. Any recommendations?
-
What about squid?
-
Presume the server is in server-gateway and you want to control it from there ?
One possibility:
https://wiki.contribs.org/Dansguardian
Thinking out loud... another way is a custom iptables rule to block outbound from certain IPs. You'd need to handle fixing the IPs I guess. See Dansguardian above for how you fix IPs using MAC addresses. You could say add the requisite IPs to a small IP block and then with iptables drop outbound packets from that block.
You'd need a rule that kind of look like this (you need to figure out the subnetting/masks)
iptables -I INPUT -s 192.168.1.0/255.255.255.192 -j DROP
A lot will depend on your network setup.
There is some stuff in the wiki on custom iptables fragments - see here:
https://wiki.contribs.org/Firewall
-
I'm going to tip my cards here even though I don't want to because it may attract the sort of posts advising me on how I should think. But my mind is made up.
I generally really like Windows 10 but the forced update policy that MS has built into the product is unacceptable. If it were just up to me, I would eliminate Windows and install Linux but there are others and they need MS Office, but they don't need Internet access. These are appliance machines that have to be ready to use on demand.
I want to revoke Internet access to those machines but still allow them to authenticate to the SME domain controller, use the network printers, access the file server, etc.
I am running v9.2. My structure is like this: Cable Modem<>SME<>unmanaged switch<>PCs, printers, WiFi APs.
If you have other ideas on how to solve the forced update issue that actually work, I would LOVE to hear them but I am focusing on using SME to form a work-around. I wish there was something in the server manager web UI that could control this.
-
kevincallan
See this Howto
https://wiki.contribs.org/Firewall#Block_outgoing_IPs_or_mac_addresses
-
I would suggest use the previous link to create the template-custom but I would rather use (personal choice)
/sbin/iptables -t nat -A PREROUTING -m mac --mac-source YOURMAC -j DROP
this should leave you the access to LAN ressources, to ping the machine from the SME server, and should block incoming and outgoing frame for this machine across the nat. Frames already passing will keep until they close, all in a 20denyLAN or 36denyLANtoINTERNET
also pay attention that if your filename is 20deny you will close access to Internet and your server with the INPUT chain in the filter table (default table), 40deny should be more indicated if you want to keep the local access( need to test)
So as a resumé all is dependant on the right syntax and place at the right place in the creation of rules. see http://developer.gauner.org/doc/iptables/images/nfk-traversal.png