1

After some confirmation that I have thinking right in this scenario.

We have a number of wired and wireless machines which presently have direct internet access. I also have a Linux (Ubuntu) server which is used as a file server for the network.

Essentially I would like to be able to turn internet access on and off for machines.

My plan is to block these machines by MAC address at the router. I would then set up a proxy server on the Linux box (ie Squid) so that the machines I wish to restrict can access the internet via the proxy. As I can adjust access via ACLs in squid, I would be able to switch on or off a machines access to the internet without having to further adjust the router's MAC rules. And of course I could go further and create a few scripts to assist with this admin task.

Does this seem sound and have I over looked anything? Any help greatly appreciated.

Simon.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
Simon Rigby
  • 113
  • 1
  • 4
  • I think you have covered all bases. Don't forget to also have a MAC allow list in your squid config, to prevent people bypassing your MAC-based filtering. – Anirudh Ramanathan Jun 23 '12 at 08:33
  • 1
    Thanks for the reply .. hard for me to accept the answer as its .. well not an "answer" :) .. greatly appreciated :) –  Jun 23 '12 at 08:53

5 Answers5

0

the best choose for this system is mikrotik router os: it support all thing that you want,and it is easy to use also. it have an accounting server + proxy server and ...

KF2
  • 145
  • 1
  • 1
  • 8
  • 1
    The OP already has a linux machine he wants to run squid on. – Anirudh Ramanathan Jun 23 '12 at 08:42
  • mikrotik router os is a Linux OP.you can install it on a computer,with this os you do not need to install squid,it can block user by max ip address,it have a lot of figure and easy to use,u can install it in 2 minutes –  Jun 23 '12 at 08:46
  • follow http://www.linuxquestions.org/questions/linux-newbie-8/squid-acl-block-internet-by-ip-address-644884/ –  Jun 23 '12 at 08:49
  • He wants to block users by their MAC addresses. – Anirudh Ramanathan Jun 23 '12 at 08:50
  • Thanks for the reply. But I'm really just interested in knowing if this scenario works as opposed to any other way of doing it. There are other considerations that have led me to go this way that I've not mentioned for brevity. So as I say more after a confirmation that I've not missed anything. –  Jun 23 '12 at 08:52
  • try this:http://www.cyberciti.biz/faq/howto-linux-unix-squid-mac-address-filtering/ –  Jun 23 '12 at 08:52
  • 1
    Thanks again .. I'm not after info how to do any of the things I've mentioned .. I'm looking for confirmation that the concept is sound and that I've not missed anything. I've researched the 'nuts and bolts' –  Jun 23 '12 at 08:55
0

I can think of exactly one point: a machine could change the MAC address of its network interface. In this case, your filtering could be circumvented...

But I can see nothing you could do against that, so you are as close to being safe as possible.

glglgl
  • 711
  • 1
  • 6
  • 22
0

If you want to have control over HTTP traffic, then a proxy server like squid makes sense as it provides mechanisms to block specific IPs/domains/URLs, etc..

If you want to block Internet access for specific machines, this can be done several ways:

  1. You can block specific MAC addresses on your router, but you should know that any machine can change its MAC address. For example, if a user has admin privileges on a machine, he will be able to change the MAC address.
  2. You can block specific IP addresses on your router. Again, any admin user can change the IP address of a machine and thus your access list becomes useless.

The solution to such problems is to either prevent admin access for these machines' users (no MAC/IP can be changed), or have something like port security on your managed switch if available.

Khaled
  • 36,533
  • 8
  • 72
  • 99
  • Hi. Yes the users concerned do not have admin access, so will be unable to change MAC address or IP. Thanks for the reply – Simon Rigby Jun 25 '12 at 00:41
  • Thanks to all that replied .. marking this as the answer for the thoroughness as such. Once again I appreciate all the efforts of those who replied. – Simon Rigby Jun 25 '12 at 00:42
0

Can you tell us why you picked MAC addresses as the basis for filtering? As stated by glglgl, a MAC can be changed by a user.

Is it a necessity to your planning that you're able to define rules for arbitrary individual hosts on a given network? Where I'm going is, if you're planning to role out a new config to a group at a time, IP subnets would be the way to go.

Potentially, a user could change their IP, or even spoof it, but only within their own broadcast domain. If they tried to set/spoof to a different subnet IP, the network simply wouldn't route packets back to the host machine in that case, which would not help them circumvent your blocking scheme.

sjw
  • 374
  • 1
  • 4
  • 9
0

You could use wired and wireless EAP to separate your machines into two VLAN's, with and w/o internet access.

qdiesel
  • 101