Topic: Block access to Internet

[calvin]

I need to Block access to Internet to some machines, here I have a proxy to server internet to my clients, but I think that make changes in proxy configuration, and restart the proxy service, is too slow, I need something in a realtime,  somebody have I idea how to resolve this question ?

I am thinking use a ipchains rule ...




Thanks a lot...

[Geoff Bennion]

this is a nasty hack, but works.

route add privateipofmachine gw 127.0.0.1

eg

if you want to block private ip 10.0.0.1 you would use


route add 10.0.0.1 gw 127.0.0.1


to re-enable internet access

route delete 10.0.0.1


Geoff.

[Max]

A much better nasty hack (imho) is indeed an ipchains rule.
I do:

ipchains -I forward 1 -j DENY -p all -s SOMEONES_IP -d 0.0.0.0/0

which says insert a new rule in the forwarding list at position 1, deny any protocol from SOMEONES_IP to anywhere.

[Geoff Bennion]

I agree, but the route add is the easiest and quickest to type ( and remember )

Or, how about the low-tech solution - unplug the workstation from the network.

[David Hardy]

Or if you're using the logon script panel use:

1) route delete 0.0.0.0
2) route add 0.0.0.0 mask 0.0.0.0 SME_IP

Use 1) in the script for those users you want to block and 1)+2) for those you don't  - this follows them around the network quite nicely.

I use this to push some users through a very tight webfilter and others through a more relaxed one!