Craig - Simply configure your server to allow access for your ip range. This is especially easy if you have 10.x.x.x type IPs within your wide area network. This is not so much a matter of configuring Moodle as it is configuring apache or whatever you webserver is that is serving the Moodle pages.
Question extension to Anthony and others: Is it possible to allow direct IP Intranet access to the Moodle server during day-time access and also Internet web access for after-hours and non-state network usage?
Technically speaking yes. You could have a cron job that executes at a certain time and overwrites the apache config file and then restarts the server with the new file and then swap it back with another cron job. I guess my question is why worry about the ip address if you are authenticating your users?
The reason we would like to have intranet access is specific to bandwidth. If we are pushing elaborate learning objects, it would be nice to have direct access within our intranet during the school day, but still have access to the content outside of school time.
I can see where it would make sense if you are having bandwidth issues.
You can also achieve the IP filtering by playing with the 'iptables' rules. I would personally go with this solution since it's only one extra parameter you'll need to add/remove: "-s <net_addr/net_mask>".
Viorel - Could you explain in basic terms how iptables works? I am just not that familiar with it but it sounds like a type of mapping whereby the server handles traffic from a particular range in one way and traffic from another IP range in another. If that is the case, then it does sound like a better solution since it would not involve constantly restarting the apache server. Peace - Anthony
On a RedHat system the configuration file is located under "/etc/sysconfig/iptables".
Assuming that your network address is 10.0.0.0 with a netmask of 255.255.255.0 the iptables rule to restrict the HTTP connections to this network only will look like:
//
-A RH-Firewall-1-INPUT -m state --state NEW -s 10.0.0.0/24 -m tcp -p tcp --dport 80 -j ACCEPT
//
In order to open it to the world remove the "-s 10.0.0.0/24" argument.
As a reference here is how the iptables rules will look for a default RH installation where HTTP access has been restricted to the above network:
//
# Firewall configuration written by redhat-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -s 10.0.0.1/24 -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
//
HTH,
Viorel
Assuming that your network address is 10.0.0.0 with a netmask of 255.255.255.0 the iptables rule to restrict the HTTP connections to this network only will look like:
//
-A RH-Firewall-1-INPUT -m state --state NEW -s 10.0.0.0/24 -m tcp -p tcp --dport 80 -j ACCEPT
//
In order to open it to the world remove the "-s 10.0.0.0/24" argument.
As a reference here is how the iptables rules will look for a default RH installation where HTTP access has been restricted to the above network:
//
# Firewall configuration written by redhat-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -s 10.0.0.1/24 -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
//
HTH,
Viorel
Viorel,
Thank you, this does sound like the best solution. I would also appreciate any simple directions you might be willing to share related to configuring iptables.
Craig
Thank you, this does sound like the best solution. I would also appreciate any simple directions you might be willing to share related to configuring iptables.
Craig
Anthony, I'm busy setting up Moodle for our school but have been met with an error that connects to this discussion. My students cannot access the quizzes I setup for them because the local network isn't in the IP range required for the quiz. I cannot find the place to either disable this feature or to setup the correct IP ranges for my quizzes. Can you give me a bit of direction?
Jacobus - Update the quiz - in other words go to it and edit. There is likely a specifc IP address (perhaps under advanced options). In secure mode on quizzes you can limit the IP range. Let me know if that helps. Peace - Anthony