Re: [K12OSN] Internet access question
jeffr@odeon.net)
Fri, 15 Mar 2002 09:20:11 -0600 (CST)
Assuming that your students are all using K12LTSP terminals, and you've
got networking configured in the default way (i.e., all of your terminals
off of one ethernet card in the server and the rest of your network on
another network card off of your LTSP server), you should be able to
adjust the packet filtering rules on the server to restrict traffic on
ports 80 and 443 (and any others that you need to restrict) for a certain
range of IP addresses.
Here's a howto:
http://www.telematik.informatik.uni-karlsruhe.de/lehre/seminare/LinuxSem/downloads/netfilter/iptables-HOWTO.html
You would need to know what IPs are assigned to the clients in each
classroom to make this work. I believe that you can make DHCPD give the
same IP to a client every time based on the MAC address of the client.
http://www.linuxdoc.org/HOWTO/mini/DHCP/
http://www.linuxdoc.org/HOWTO/Net-HOWTO/
Once you've got your various packet filtering rules defined, it should be
fairly easy to make a script that the teachers can execute that would
restrict access from a given classroom, and then open it up again.
It would be much easier to restrict all of the terminals at once this way,
rather than trying to do it by classroom, but it should still be possible.
I don't know enough about Squid to know if you can do it there, but the
Squid box would need to be able to differentiate between the users that
would need to be blocked and all of the other users that should still have
access. If it can't do that then you'd be stuck at the Squid box.
A quick look at the Transparent Proxy with Linux and Squid mini-HOWTO
might be helpful:
http://www.linuxdoc.org/HOWTO/mini/TransparentProxy.html
and specifically:
http://www.linuxdoc.org/HOWTO/mini/TransparentProxy-4.html
Squid does appear to support ACLs that you could use to block users by IP
address. The bad news here is that your K12LTSP server will be doing NAT
for all of the clients. This means that traffic coming from the terminals
will all appear to be coming from the same IP address by your Squid box.
After a quick glance at the Squid FAQ:
http://www.squid-cache.org/Doc/FAQ/FAQ.html
it looks like you could block your entire K12LTSP server from reaching the
internet with the Squid proxy, but not just specific terminals. Unless of
course you've got a seperate K12LTSP server with a different IP address on
your network for each classroom. Then you'd be able to block access to
the internet (well, http and https traffic presumably) from your clients
at either the K12LTSP server for that classroom, or at your Squid proxy.
Regardless of where you end up restricting access, once you've got the
rules defined it should be fairly easy to script it so that the teachers
can restrict access and then later open up access easily.
Jeff
On Fri, 15 Mar 2002, Mark Orenstein wrote:
> We use squid/squidGuard on Linux at our high school for Internet access. We
> have had requests from a couple of teachers that, at their discretion, they
> would like to disable Internet access for all PC's in the computer lab
> during their class time. Suggestions for how to do this would be really
> appreciated.
>
> Right now the teachers do not have userid's on the squid PC. They do have
> Samba access to another Linux server on the same LAN.
>
> Mark Orenstein
> East Granby, CT School System
>
>
>
> _______________________________________________
> K12OSN mailing list
> K12OSN@redhat.com
> https://listman.redhat.com/mailman/listinfo/k12osn
> For more info see
>
>
_______________________________________________
K12OSN mailing list
K12OSN@redhat.com
https://listman.redhat.com/mailman/listinfo/k12osn
For more info see