Epoptes

possibility to block internet on clients

Asked by Oliver R.

Dear developers,

I gave Epoptes a short try and I am impressed so far!

In my situation at school it would be desirable to block the internet access of selected (or all) clients. Are there any plans to implement such a function?

My idea was to launch the following commands on the client on which the internet shall be blocked:
sudo iptables -A OUTPUT -d 192.168.0.0/255.255.0.0 -j ACCEPT
sudo iptables -A OUTPUT -j DROP
Then, afterwards, only the local network is accessible.

Cheers,
Oliver

Question information

Language:
English Edit question
Status:
Solved
For:
Epoptes Edit question
Assignee:
No assignee Edit question
Solved by:
Oliver R.
Solved:
Last query:
Last reply:
Revision history for this message
Fotis Tsamis (ftsamis) said : 		#1

Hello Oliver,

We've thought of using iptables for blocking internet access. The problem is with LTSP (thin) clients.

Thin clients access the internet (and do everything else) through the server, so, we would need to block the internet access from the server. There is an iptables module (owner) that can filter outgoing packets per-user which works well for our case, but the problem is that we, in no way, want to require server sudo access in epoptes. We were thinking of a suid program, and some other hacks to accomplish internet blocking on every type of client or using squid, but we haven't came up with something that we are fully satisfied yet.

There are plans to implement this, we just need to find a clean and secure way of doing it.

Revision history for this message
Alkis Georgopoulos (alkisg) said : 		#2

We could open a bug report about this though, until it's implemented, as a placeholder to gather all possible solutions.

Instead of using a suid wrapper, we could also use the Linux kernel capabilities subsystem, like `ping` does:
$ getcap /bin/ping
/bin/ping = cap_net_raw+p
$ man capabilities

Revision history for this message
Oliver R. (oliverr) said : 		#3

Thanks for your quick and clarifying answer!

Then my feeling was right, that internet blocking is no easy task... What a pity.