Koozali.org: home of the SME Server

Disable internet access for machines

Offline kevincallan

  • *
  • 34
  • +0/-0
Disable internet access for machines
« on: March 02, 2018, 06:25:27 PM »
I have some machines that I want connected to my local network but do not want to have internet access.  I suppose I can manually assign the network parameters and leave the gateway empty but I thought maybe there may be a way to do this with the server settings to make setup easier.  Any recommendations?
......

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Disable internet access for machines
« Reply #1 on: March 02, 2018, 07:42:55 PM »
What about squid?

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Disable internet access for machines
« Reply #2 on: March 03, 2018, 07:38:30 PM »
Presume the server is in server-gateway and you want to control it from there ?

One possibility:
https://wiki.contribs.org/Dansguardian

Thinking out loud... another way is a custom iptables rule to block outbound from certain IPs. You'd need to handle fixing the IPs I guess. See Dansguardian above for how you fix IPs using MAC addresses. You could say add the requisite IPs to a small IP block and then with iptables drop outbound packets from that block.

You'd need a rule that kind of look like this (you need to figure out the subnetting/masks)

iptables -I INPUT -s 192.168.1.0/255.255.255.192 -j DROP

A lot will depend on your network setup.

There is some stuff in the wiki on custom iptables fragments - see here:

https://wiki.contribs.org/Firewall
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline kevincallan

  • *
  • 34
  • +0/-0
Re: Disable internet access for machines
« Reply #3 on: April 14, 2018, 05:55:14 PM »
I'm going to tip my cards here even though I don't want to because it may attract the sort of posts advising me on how I should think.  But my mind is made up.

I generally really like Windows 10 but the forced update policy that MS has built into the product is unacceptable.  If it were just up to me, I would eliminate Windows and install Linux but there are others and they need MS Office, but they don't need Internet access.  These are appliance machines that have to be ready to use on demand.

I want to revoke Internet access to those machines but still allow them to authenticate to the SME domain controller, use the network printers, access the file server, etc.

I am running v9.2.  My structure is like this:  Cable Modem<>SME<>unmanaged switch<>PCs, printers, WiFi APs.

If you have other ideas on how to solve the forced update issue that actually work, I would LOVE to hear them but I am focusing on using SME to form a work-around.  I wish there was something in the server manager web UI that could control this.
......

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Disable internet access for machines
« Reply #4 on: April 14, 2018, 06:49:56 PM »
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Disable internet access for machines
« Reply #5 on: April 14, 2018, 11:59:00 PM »
I would suggest use the previous link to create the template-custom but I would rather use  (personal choice)

Code: [Select]
/sbin/iptables -t nat -A PREROUTING -m mac --mac-source YOURMAC -j DROP

this should leave you the access to LAN ressources, to ping the machine from the SME server, and should block incoming and outgoing frame for this machine across the nat. Frames already passing will keep until they close, all in a 20denyLAN or 36denyLANtoINTERNET

also pay attention that if your filename is 20deny you will close access to Internet and your server  with the INPUT chain in the filter table  (default table), 40deny should be more indicated if you want to keep the local access( need to test)

So as a resumé all is dependant on the right syntax and place at the right place in the creation of rules.  see http://developer.gauner.org/doc/iptables/images/nfk-traversal.png