Internet access restriction on wired network


How I can restrict user' s to access internet based on their PC MAC Address. or any open source for internet accounts.

I have one DSL connection connect to one switch .from the switch all PCs are connected .
i want to restrict  user's to access internet other then otherised user or PC .
I want to have one server which can control all the user and do internet cashing also.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Duncan RoeSoftware DeveloperCommented:
There is an iptables match extension for MAC addresses which you could apply to the PREROUTING table and reject depending on the destination address.
That presupposes the switch is running Linux.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gukhanAuthor Commented:
whre i can find the document to configure as you mentioned .
joolsSenior Systems AdministratorCommented:
you'll probably want to look at Squid as well...
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Duncan RoeSoftware DeveloperCommented:
"man iptables" - that's all I used
Gabriel OrozcoSolution ArchitectCommented:
you can disable access to internet other than using a proxy.
it is easy. just this line in iptables:
iptables -P FORWARD DROP

then add a proxy. Squid is the de-facto proxy for Linux, with great features like ACL's that you can use to set who is allowed to access the internet and who don't.

if you install squid with your linux distribution packages, chances are your squid.conf is located at /etec/squid/squid.conf

this is what I would do:
1. open a shell
2. cd /etc/squid
3. mv squid.conf squid.conf.ori
4. pico squid.conf
5. paste the code I am showing you
6. pico authorized_ip_addresses.txt
7. key in the authorized ip addresses in this form (I assumed your local area network is 192.168.1.x)
8. restart squid
9. check there are no errors (usually checking the file /var/log/messages)
10. go to an authorized pc, and enter the ip address of your linux box, with port 3128 in the proxy section.
11. browse the internet. it should be allowed.
12. check in the non-authorized pc's. you can enter the proxy or not, but internet access should be disallowed.

pay close attention to the comments in the posted squid.conf file.

please let me know if you need any troubleshooting. this is the idea.

of course there are lots of wonderful howto's on the web. this is just one you can use.


# trimmed down Squid Configuration File for SOHOs:
#By Gabriel Orozco

http_port 3128 transparent


# quien es el administrador del cache
cache_mgr your@email.address

# ACLs
acl to_localhost dst
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http

acl all        src
acl lhost      src

# this is the file you need to edit to add machines to the allowed list:
acl allowed    src "/etc/squid/authorized_ip_addresses.txt"

http_access allow lhost
# Deny requests to unknown ports
http_access deny !Safe_ports
http_access allow allowed
# Deny CONNECT to other than SSL ports
http_access deny  CONNECT !SSL_ports

http_access allow CONNECT allowed
http_access allow allowed
http_access deny all

# where the squid cache database directory is located. make sure it is the same as in the default file is specified, since it should be already set up for you:
cache_dir ufs     /var/state/squid 100 16 256

# logs files. make sure all these exist and are owned by squid:squid
cache_access_log  /var/log/squid/access.log
cache_log         /var/log/squid/cache.log
cache_store_log   /var/log/squid/store.log

# 16 mb of ram is enough for most uses:
cache_mem 16 MB

# if you grow this cache is not as effective but windows "service packs" can be cached thus improving surfing too:
maximum_object_size 60240 KB

# user and group for squid execution:
cache_effective_user squid
cache_effective_group squid

Open in new window

gukhanAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.