[SOLVED] - How to setup a basic blocking of specific IP's?

[Dr.Black.85]

Hello,

I've been searching these forums for a basic way how to prevent access to specific webservers but I couldn't find how to prevent access to some web pages. It can be a really basic way since I don't expect that about 10year children will find a way to bypass it.
What kind of application would you recommend and how to add there banned IP's?
And some important things:
- It should be an application for workstations since there's no real server in the LAN except the router.
- It should be capable of sending me an e-mail of any attemp of access to that server.

Thanks for your help.
_________________
How will you notice that you spend too much time programming?
When you're surprised that your document writer isn't marking lines unfinished by semicolon with "cannot find symbol"

[Teetante]

[Dr.Black.85]

[Teetante]

[Dr.Black.85]

The posibility of building a physical proxy here is practicly minimal since there is a few of computers with local users...

Isn't there something like a daemon that would watch any internet traffic coming in an out on the physical computer? Something that wouldn't have to be specified in the browser settings? Something that would simply block any incoming packets from a given IP and notify me about such attemps?

I managed to read something about banning IP's from servers side. Couldn't something like that be used?

I know that I must be really an annoying n00b since I haven't expected that I'll have to leave active access to internet when I'm gone...
_________________
How will you notice that you spend too much time programming?
When you're surprised that your document writer isn't marking lines unfinished by semicolon with "cannot find symbol"

[Teetante]

[Dr.Black.85]

Thanks for the reply.

There's not much computers in the LAN so I will just install a firewall. I've already ran some search about GUI frontends for iptables that I found in net-firewall section.

Which frontend should I use if I want to receive alerts via e-mail about atempts to reach blacklisted sites because it's quite important to know which user tried to do it.

I'll probably let it work on for "pedagogical" issues. I can only guess how many corious students will have a problem. At least there will be some fun
_________________
How will you notice that you spend too much time programming?
When you're surprised that your document writer isn't marking lines unfinished by semicolon with "cannot find symbol"

[nms]

The most sensible solution in this situation is probably using a proxy like Squid, just like suggested. In combination with iptables this can be used completely transparent to the user and his/her web browser, which means there is no way for the user to avoid using the proxy. The proxy can then be set up to block certain web sites based on host/domain name.

As far as e-mail alerts go, you would probably need some sort of tool that scans the proxy log once a day (or at whatever interval you feel is necessary) and sends you a list of any attempts to access blocked web sites.

How much control do you need regarding what individuals are trying to access what? Is each and every individual using his/her own computer (and static IP address) on the local network, or does each individual have a personal user account for logging in to shared computers? There are a number of variables depending on the actual hardware (how many systems, how many individuals etc) and software (personal or shared user accounts, operating systems etc) configuration of your network.

I'm quite sure that your specific needs can be met without anyone growing too many grey hairs, you just need to figure out what those needs are.

[Dr.Black.85]

Well, the LAN consists from 3 permanently connected computers and some laptops. Each computer has local users since I didn't mind of creating server side users (if there is no server I couldn't do it all ).

It would be nic to know which user tried to accessed a blacklisted site, when he tried it and what was the target IP/domain. I looked at some mailing scripts and I guess that with some work I could write a wokring one in few hours and then simply put it in cron. If there isn't a simplier solution of course.
_________________
How will you notice that you spend too much time programming?
When you're surprised that your document writer isn't marking lines unfinished by semicolon with "cannot find symbol"

[nms]

[Dr.Black.85]

- All the computers are running Gentoo Linux (for budget, reliability and control reasons).
- All user accounts are local.

I tried to include iptables in the kernel of one computer but I probably did something wrong because it ruined the eth0 module so I recovered it and unmerged the iptables.

So should I try that Squid proxy? I hope it doesn't require any kernel modifications since I was quite on nerves when I was recovering the functioning kernel for about 2 hours (I couldn't find to where I have backed up the configuration).
_________________
How will you notice that you spend too much time programming?
When you're surprised that your document writer isn't marking lines unfinished by semicolon with "cannot find symbol"

[nms]

For Squid to work transparently and thereby not require any configuration on the client systems you need Netfilter (iptables) in the kernel. This should not be a problem, as the only modification you need to make to the kernel configuration is to enable all the iptables modules. Netfilter is required to make any outgoing connections on port 80 (www) redirect to port 3346 (transparent proxy).

This proxy system of course needs to be placed between the network of local computers (the client systems) and the external network (the "internet connection"), which usually means it will need two network interface cards. There are ways to work around this, but this is the easiest way to do things.

Do any of the individual users have root access to any of the client systems?

[Dr.Black.85]

[nms]

The proxy settings are very easy to bypass if they are set in the web browser, but you know your users better than I do.

I would recommend against running a web proxy on each client system since it would probably slow each system down. Web proxies are normally run on a separate system to speed up web access for all clients using that proxy, since it stores files retreived by one client and then uses the locally cached copy of the file if it is requested again (by the same or another client). Blacklisting web sites is just a "bonus" functionality that web proxies like Squid offer.

If you are only interested in blocking web sites and not the web proxy in general you could always set up a local DNS that points all blacklisted hosts to a local web server that delivers an error message. This will make logging and e-mail alerts a lot more difficult though.

[Dr.Black.85]

Well I think I'll go for the proxy on all local systems that can be accessed by students since there is no computer that I could use as a plain proxy system or a DNS. Well, I'll see how it turns out.

Thanks for the advise nms.
_________________
How will you notice that you spend too much time programming?
When you're surprised that your document writer isn't marking lines unfinished by semicolon with "cannot find symbol"