[thelist] Restricting Internet Access by LAN IP
Phil Turmel
philip at turmel.org
Tue Jun 28 21:37:54 CDT 2005
Matthew,
Although the hosts file method should work well, it can be defeated if a
user types an IP address directly into the browser. An alternative is
to cripple routing instead of hostname lookup. Assuming the following
typical addresses:
Linksys: IP = 192.168.0.1, subnet mask = 255.255.255.0
Computer: IP = 192.168.0.5, subnet mask = 255.255.255.0,
Default gateway = 192.168.0.1, Preferred DNS = 192.168.0.1,
Alternate DNS = 0.0.0.0
First, change the default gateway to 0.0.0.0
Next, in an administrator command prompt, add persistent routes for each
approved host:
route -p add {IP of approved host} mask 255.255.255.255 192.168.0.1
Note, you must use the IP address of the approved host, not its name (no
worse than putting it a host file, but not terribly convenient).
If in your case the preferred DNS is not equal to the original default
gateway (the router's IP), add a persistent route for it, too.
If you need help with your specific addresses, I'd be happy to help offlist.
Phil
Matthew Lewis wrote:
> Okay, I'm not very experienced with using the hosts file beyond very
> basic purposes. What would I have to do to disallow DNS lookups for
> sites that aren't in the hosts file? The first option you listed below
> sounds a little more complex than I want to get into, seeing as how I'm
> doing the whole job for free anyway. The second option, setting the
> computer's DNS to not get service and give DNS resolution by the hosts
> file, sounds doable but I'm not sure how to get started. If anyone could
> provide a quick example, I'd appreciate it.
>
>> ...Unfortunately, I can't get a Linux machine for this network...
>
>
> > just wondering WHY you can't get a linux
> > box on the network? As this is the simplest
> > solution wondering what the restriction is so
> > we don't come up with a solution that has
> > the same problem.
>
> The problems are that the organization in question doesn't have money
> for another box to install Linux on, and if it did, I must confess that
> I have absolutely no experience using anything on Linux beyond web
> applications. I'd hate to have them buy something only to find out that
> I still can't get the system running anytime soon. I think the hosts
> file will be the easiest alternative at this point, if someone can head
> me in the right direction with it. I wish I could get Squid to work on
> one of the Windows boxes - but I gave it a try and got absolutely
> nowhere with it.
>
> Thanks for all the ideas guys,
>
> Matthew
>
> Joshua Olson wrote:
>
>>> -----Original Message-----
>>> From: Ken Schaefer
>>> Sent: Monday, June 27, 2005 9:23 PM
>>>
>>
>>
>>
>>
>>> A HOSTS file will work.
>>
>>
>> The hosts file may help, but is not a total solution. You would need to
>> disallow DNS lookups for sites NOT in the hosts file. You could, in
>> theory,
>> set the DNS of the machines in question to either an in-house DNS server
>> that only has records for a few sites (those that are allowed) or set the
>> computer's DNS to something that provides no service and provide DNS
>> resolution via the hosts file.
>>
>> <><><><><><><><><><>
>> Joshua L. Olson
>> WAE Tech Inc.
>> http://www.waetech.com/
>> Phone: 706.210.0168 Fax: 413.812.4864
>>
>> Monitor bandwidth usage on IIS6 in real-time:
>> http://www.waetech.com/services/iisbm/
>>
>>
>>
>>
>
More information about the thelist
mailing list