How do I block internet access by computer or user?

v7

(Charles) #1

NethServer Version: NethServer release 7.3.1611
Module:

Hello nethserver forum,

I’m reading through the docs and I’m wondering if web filter is the tool that may help me. I’ve setup a domain on my nethserver and I’ve successfully connected a windows 7 VM to my domain. I’m exploring how I can block all Internet access by either:

  • Domain logged in user
  • Computer IP address

There are some workstations that will never need Internet Access. I’m looking to see if Nethserver can assist in this respect.
In order for this to work does Nethsever need to become my primary DHCP server as well?

Thank you.


(Alessio Fattorini) #2

Do you need to block the whole internet or just filtering the navigation?
In the first case you need to create some firewall rules, in the latter, you need to configure the http proxy as well as the content filter


(Charles) #3

Hello @alefattorini and thank you for this reply!

I was hoping for a slick solution to easily add by IP Address each workstation that needs to be completely locked out from the Internet. Looking at ClearOS they have something called Access Control whereby they can set a schedule of when Internet Access is allowed almost like a parent/guardian feature to lock down the Internet for certain devices if needed. I suppose I could add a firewall rule for each Workstation but I was hoping there was a way within a module perhaps that would keep all these rules separate from all my other Firewall rules. I may at times need to open Internet Access to these workstations and having all these in one place or module would be cleaner than finding the right firewall rule.


(Alessio Fattorini) #4

Not following here. Generally we make rules filtering by IP ranges or CIDR and adding some special rules for specific IPs. What am I missing?


(Mark Edworthy) #5

Just thinking, rather then blocking based upon IP address, what about having a function to block using the client device MAC address?


(Joel Clendineng) #6

I don’t know if I understand. You can block by mac already. You add the host as a static Ip in dhcp, by mac and use that host when you are blocking stuff. What exactly are you trying to do? If lock out from Internet all you do is create a static Ip from the macs you want to block, add a rule that blocks all incoming connections to that specific host and profit. All outgoing are already blocked by default I believe? Maybe got it mixed up :slight_smile: anyways that’s what I do. Use my Linux machine for Internet and Windows for gaming, so I do that to restrict Internet. I also use Windows firewall to control the 2 or so apps I need through. If you want to block everything is super easy just set the firewall to block all to the host, don’t need to worry about proxy unless you wish to block specific content.


(Joey) #7

Hey guys, sorry to resurrect this old thread, but, I’ve read through tons of documentation, and scoured the forums, but I can’t find a resolution.

The simple matter is trying to drop packets from the net (red) to specific hosts, or host groups on green. Below is my setup. I can create ANY rule I want, yet traffic is still flowing.


I’ve attempted with every configuration, blocking specific hosts, host groups. Not sure what I’m missing.