How can I control my local network internet surfing?

I am looking for an efficient way to control my lan, where I can control who is allowed to surf internet, and who is not, and which sites are allowed, even through https and non-standard ports, and most importantly based on open source software/setup, I have an ubuntu box that can be used as gateway/firewall/router, I am aware about squid transperant solution but it does not cover all ports and services and it is easy to override. is there a good software/solution for my case. For example : I want to block facebook for certain users and/or whatsapp voice calls, also the white list of IPs/domains for certain IP/User.

Thank you very much.

Fanar Web

Posted 2017-04-18T16:07:25.413

Reputation: 33

Answers

If no one knows how to spoof a mac you can use the dhcp server to assign a given ip to a given mac.

dhcpd.conf

host user1 {
  option routers 192.168.1.1;
  option domain-name-servers 192.168.1.1;
  fixed-address 192.168.1.249;
  hardware ethernet DC:9F:DB:8C:DD:00;
}

Then you can setup iptables to block based on source ip address.

You could also setup a captive portal. Many different ones exist.

It would force your users to login. Then you would have a username you could rely on for traffic screening.

https://mohammadthalif.wordpress.com/2010/12/14/list-of-open-source-captive-portal-software-and-network-access-control-nac/

Open Source/Free

    ChilliSpot
    Wifidog
    PacketFence
    CoovaChilli
    Utangle
    pfSense
    PepperSpot
    Zeroshell
    m0n0wall
    Kattive
    EasyHotSpot
    GRASE Hotspot
    BrazilFW
    Alcasar

Closed Source/Paid

    FirstSpot (for Windows)
    antamedia (hotspot manager for windows)
    polkaspots
    MyHotspot
    Whizzwifi
    Facepoint
    IronWIFI
    Alepo WiFi Captive Portal

cybernard

Posted 2017-04-18T16:07:25.413

Reputation: 11 200

That was comprehensive sir, I found pfsense as what I needed, thank you very much for your help ! – Fanar Web – 2017-05-31T23:03:25.200

You dismiss squid because it doesn't cover all ports, but you're looking at the issue wrongly.

Firstly setup squid as you'd expect it to work, then use iptables to block traffic on all ports that should not be allowed.

Using squid you can implement user authentication, this will allow you to make sure only the correct users can use squid to access the internet.

As for people using 'hidden' solutions, if you're blocking all traffic other than to and from the squid server, you should easily be able to observe any traffic passing via the squid server which is suspicious.

djsmiley2k TMW

Posted 2017-04-18T16:07:25.413

Reputation: 5 937