LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Restrict smart phone internet access (https://www.linuxquestions.org/questions/linux-networking-3/restrict-smart-phone-internet-access-4175563346/)

iFunction 01-07-2016 04:33 PM
Restrict smart phone internet access
 
Hi There,

I hope this is the right place for this question, please point me in the right direction otherwise.

Is it possible to restrict smart phone internet access while allowing computers through? I am building a network of 36 Raspberry Pi's and 15 Windows laptops that will rely on wifi, however, we don't want any smart phone access in this area, as we really need our techs on the ball and also it won't look good in front of clients, so I have been asked to try and lock this down, smart phone access can be done else where on a different network during breaks.

I will be using a raspberry pi as the firewall using iptables and was wondering if smart phones can be identified an thus blocked? If I could be pointed in the right direction, I will go do the research and post my solution if there is one that is appropriate.

Kind regards
iFunc

michaelk 01-07-2016 05:34 PM
You will have to remind us of your final network configuration. Are you using a Pi's as an access point for everything?

Use wireless encryption and not tell anyone the key or only allowing devices with a known MAC would be the simplest methods. Although neither method is foolproof if they have access to the Pi's. I guess these days just telling your techs not to use their cell phones isn't good enough...

iFunction 01-07-2016 05:58 PM
Hi there,

thanks for your reply, I am just structuring my network, at the moment it is a work in development, but basically, I am providing images and video on screens throughout a series of Pit lane garages at race tracks. There are 8 pods of 4 pi's, each pod are connected with a network switch and a nano router set up as a wireless dongle feeding the 4 pi's with one as a main point of contact for the section. This is to make it so I effectively only have to deal with 6 pi's if you see what I mean.

I will be building one separate pi as a firewall, dhcp server, ntp server and back up server (with external hard drive). This will connect to the router on one side, and an access point on the other which will pump out the wifi throughout the pit lane to the six pods but also approximately 15 windows computers and one printer. The six pods and pi's within them will be all static ip's, this is so I can easily shutdown all Raspberry pi's with a double click of an icon on the server via a script that will ssh to each pi in the network (to prevent corruption if someone unplugs the power on a pod at the end of the day, written this works very well) the windows computers will be via dhcp. Connection to the internet is not vital but a nice to have for management and clients, but we don't want techs having the chance of being distracted with 200mph cars driving around.

Essentially, I think you are right, encryption without telling the key is the easiest, but that relies on them not finding out the password, this will be tricky as they can just jump onto a computer and finding it out. Mac addressing, would involve finding out all the mac addresses of clients and guests which is not practical. That was why I was wondering if there is a way of filtering using operating systems, that way I could allow any linux or Windows machine, and then encryption for android and iPhone.

Is this possible. I'm up for the challenge if it is just complex.

Kind regards
iFunc

michaelk 01-07-2016 06:51 PM
I would hope the track safety rules for the pit would not allow cell phones or similar devices so this should be a mute point.

Not sure what gets sent by the MS dhcp client but you would need to setup the dhpc server to only provide an IP address for the windows via a vendor class identifier if possible:

http://forums.contribs.org/index.php?topic=49641.0

iFunction 01-07-2016 07:22 PM
These are private track days, so rules like that don't necessarily apply, though it is part of our policy to behave like that, so you are right it is a bit of a mute point, but simply making it not accessible just means that it is not seen around the venue.

I have rethought the windows part of this and they will also be on static ip's as we will be sending data for back up at the end of the day. Thanks very much for your input on this issue. What I think would be the more standard way would be to have sub nets one for the main network which will be a closed network for working data transfer and as you suggested, mac filtering, then a separate sub net for company managers and execs and then a completely separate guest network broadcast as a second SSID from our router as a guest network for clients and guests. I think this is within my capabilities (I hope) now to climb the learning curve.

Thanks very much for your input.

Regards
iFunk

sgosnell 01-07-2016 09:40 PM
You should be able to restrict internet access to specific MAC addresses, if you know those for the machines in your network. I'm still not entirely sure exactly what you're doing with this entire project, but good luck with it. Have you checked what other tracks/events do? Maybe they know more about this.

iFunction 01-08-2016 05:07 AM
Oh, basically, I am providing the entire network for private track days, the computers are required for providing information for the customers via numerous computer monitors littered around the garages and for the engineers to do data analysis from data logging for the cars and I am trying to set it up so that the engineers can send the data to be backed up. At present I walk round the garage at the end of the day with a hard drive and back it up manually, but I'm lazier than that. The events are private track days for High profile clients who want a high level of driver training.


All times are GMT -5. The time now is 10:27 AM.