Answer the question
In order to leave comments, you need to log in
Deny Internet access to static addresses?
Given: ubuntu 16.04 - iptables software gateway, isc-dhcp-server, squid, 50 computers, air and wired, behind the LAN gateway, all receive Ip through the ubuntu gateway. We urgently need to prohibit a certain user from accessing a single resource, namely youtube.com. (squid is baked). The ban through the forward iptables chain does not roll, as the user simply changes the ip. to another static one. I know that in Tsysk in the dhtsp settings, you can cut such cunning users and disable the stat. addresses. How to implement this in ubuntu? binding on the poppy does not roll, as the user and the poppy. quietly changes. stat. arp table? but then you have to prescribe the stat. arp on each host is a hassle. Through ex. switch? how to implement? In general, I will be glad to hear your ideas!
Answer the question
In order to leave comments, you need to log in
If the switch is smart, then move this honorable user to a separate Wealan and for this Wealan, or cut the speed to the Internet. Or set a traffic limit. Or set limits. I think that it will definitely not start running on sockets with a wire). In general, I adhere to the idea that one port - one IP address. Drop the rest. ) but it already needs an appropriate piece of iron. Or raise a pppoe server. Transfer everyone to it ... and cheaply and full control over accounts)))
Or implement AD in the network. Then simply block the ability to change network settings with security policies. You'll have to sweat a lot to get around this.
I see such an option - when issuing an ip-address via dhcp, execute a script that adds allow or deny rules to iptables.
jpmens.net/2011/07/06/execute-a-script-when-isc-dh...
Another question is how do you block youtube without squid? Yes, and if your user guesses my poppy, then he will gladly use vpn / anonymizer
Usually, such users are severely reprimanded for using the Internet for other purposes, with a record in the labor force and deprivation of the bonus.
First of all, the white list helps from changing poppy and un. And secondly, you can act administratively by prohibiting the user from changing anything, using personal laptops in the corporate network, etc.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question