-4

I am trying to deploy a Local Network web application, which should not necessitate a client login.

The requirement is to block certain machines, (not users, just a few computers, the application doesnot have a login page, so users are anonymous) in the LAN from accessing the application. The LAN has over 100 machines, trying to block 20 of the machines. Think of it as blacklisting the machines.

My concerns are:

  • Can I do a mac address based filtering ?
  • If not, should i be doing IP based filtering ? This might not be possible as the LAN is configured with Dynamic IP.

Is there any other way, through code that allows me to make my server configuration dynamic? Does the request hold any client-machine specific information which allows me to do this?

I do not actually have control on the network as it is for a client.I also donot have any say in the switches in use, the client OS, the budget etc.

LAN topology: Token Ring, the server is running a flavor of RedHat Linux.

The Web application is written in Java, deployed on top of TomCat, but the solution need not necessarily be constrained. I generally want to know if we can drop all requests from specific machines that are in the network to our application.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
thoughtbot
  • 1
  • 2
  • 1
    Your question is vague. Tell us something about the LAN topology and the switches in use, the client OS, the server OS, DNS, what the server is etc. What is the budget for this ? – user9517 Oct 29 '14 at 08:05
  • Clarify your question: Is it your goal to prevent access to the website from specific computers, or by specific users who happen to use certain computers? (Frequently people jump to the idea of blocking access by certain computers when what they really want is to block access by particular users.) – Evan Anderson Oct 29 '14 at 10:13
  • 1
    Token Ring - really that's very unusual today. Yes, what you want to do is entirely possible in a modern network but how would depend upon the current infrastructure, OS etc. With token ring I really wouldn't know. – user9517 Oct 29 '14 at 10:39
  • Yes, i understand that topology layout is alarmingly old, but i cannot change that. This is for a client in the banking domain.I need a quick/dirty solution if i can find one. – thoughtbot Oct 29 '14 at 10:53
  • 1
    I don't understand why you've taken the LAN topology out of your question now. It may be old but if it really is Token Ring then it's very relevant. Equally I've never known a banking system where quick and dirty would be a fit solution. – user9517 Oct 29 '14 at 11:03
  • Thank you for proving that i am an idiot. Sorry for not understanding how the topology is relevant at the application layer. How can i improve this question? Can you help me get to a solution? Is it possible, now that we have established that i have inadequate knowledge of networks? I moved the question here from SO as they complained that it was out of topic. – thoughtbot Oct 30 '14 at 01:54
  • We didn't prove you are an idiot. The clarifications we requested were because your question was vague. It seems a little clearer now but to correctly answer it we still need information you have not provided. To have your application block a remote machine the application needs to know something about that machine. It can't know it's mac address as that isn't passed that far up. Your application server may be passed the IP address of the client. You could use this but to do so would require that the DHCP ... – user9517 Oct 31 '14 at 07:52
  • process/client be configured for dynamic DNS and for it to be working correctly. To be honest this whole question smacks of homework. It's the kind of vague question a professor gives people to make them go out and think. If it's not then you really should be engaging with your clients network team to find out more about how the can help you achieve your clients requirements. – user9517 Oct 31 '14 at 07:56

1 Answers1

1

Linux has the arptables option that allows you to create a firewall that uses the MAC address instead of ip-addresses.

For example something like:

arptables -A IN --source-mac AA:BB:CC:DD:EE:FF -j DROP
HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • Does that work on token ring ? – user9517 Oct 29 '14 at 10:38
  • this might work, will try this. But won't this block access to the server instead of just the web application? can i drop requests that are to a specific application? – thoughtbot Oct 29 '14 at 11:01
  • @Iain I admit I haven't used token ring in close to 15 years so I can't confirm, but according to the wikipedia pages on token ring the MAC address is present in each data frame, so no immediate reason to expect it wouldn't work. – HBruijn Oct 29 '14 at 11:38
  • 1
    @thoughtbot It is an ugly solution fitting your lousy requirements. Yes it will block all traffic to the server since you're operating on the media access control (MAC) layer. – HBruijn Oct 29 '14 at 11:42