[thelist] Restricting Internet Access by LAN IP

Phil Turmel philip at turmel.org
Tue Jun 28 21:37:54 CDT 2005 

Matthew,

Although the hosts file method should work well, it can be defeated if a 
user types an IP address directly into the browser.  An alternative is 
to cripple routing instead of hostname lookup.  Assuming the following 
typical addresses:

Linksys: IP = 192.168.0.1, subnet mask = 255.255.255.0
Computer: IP = 192.168.0.5, subnet mask = 255.255.255.0,
	Default gateway = 192.168.0.1, Preferred DNS = 192.168.0.1,
	Alternate DNS = 0.0.0.0

First, change the default gateway to 0.0.0.0
Next, in an administrator command prompt, add persistent routes for each 
approved host:

route -p add {IP of approved host} mask 255.255.255.255 192.168.0.1

Note, you must use the IP address of the approved host, not its name (no 
worse than putting it a host file, but not terribly convenient).

If in your case the preferred DNS is not equal to the original default 
gateway (the router's IP), add a persistent route for it, too.

If you need help with your specific addresses, I'd be happy to help offlist.

Phil



Matthew Lewis wrote:
> Okay, I'm not very experienced with using the hosts file beyond very 
> basic purposes.  What would I have to do to disallow DNS lookups for 
> sites that aren't in the hosts file?  The first option you listed below 
> sounds a little more complex than I want to get into, seeing as how I'm 
> doing the whole job for free anyway.  The second option, setting the 
> computer's DNS to not get service and give DNS resolution by the hosts 
> file, sounds doable but I'm not sure how to get started. If anyone could 
> provide a quick example, I'd appreciate it.
> 
>> ...Unfortunately, I can't get a Linux machine for this network...
> 
> 
>  > just wondering WHY you can't get a linux
>  > box on the network? As this is the simplest
>  > solution wondering what the restriction is so
>  > we don't come up with a solution that has
>  > the same problem.
> 
> The problems are that the organization in question doesn't have money 
> for another box to install Linux on, and if it did, I must confess that 
> I have absolutely no experience using anything on Linux beyond web 
> applications. I'd hate to have them buy something only to find out that 
> I still can't get the system running anytime soon.  I think the hosts 
> file will be the easiest alternative at this point, if someone can head 
> me in the right direction with it.  I wish I could get Squid to work on 
> one of the Windows boxes - but I gave it a try and got absolutely 
> nowhere with it.
> 
> Thanks for all the ideas guys,
> 
> Matthew
> 
> Joshua Olson wrote:
> 
>>> -----Original Message-----
>>> From: Ken Schaefer
>>> Sent: Monday, June 27, 2005 9:23 PM
>>>   
>>
>>
>>  
>>
>>> A HOSTS file will work.   
>>
>>
>> The hosts file may help, but is not a total solution.  You would need to
>> disallow DNS lookups for sites NOT in the hosts file.  You could, in 
>> theory,
>> set the DNS of the machines in question to either an in-house DNS server
>> that only has records for a few sites (those that are allowed) or set the
>> computer's DNS to something that provides no service and provide DNS
>> resolution via the hosts file.
>>
>> <><><><><><><><><><>
>> Joshua L. Olson
>> WAE Tech Inc.
>> http://www.waetech.com/
>> Phone: 706.210.0168 Fax: 413.812.4864
>>
>> Monitor bandwidth usage on IIS6 in real-time:
>> http://www.waetech.com/services/iisbm/
>>
>>
>>  
>>
>

More information about the thelist mailing list