How does VC restrict PC Internet access?

Keywords: Restrict Internet access SPI get ie proxy address

Some programs need to implement the function of controlling the computer to access the Internet. For example, the children can access the Internet from to on Saturday, but cannot access the Internet at other times. After research, there are roughly the following methods to implement this function in user mode (based on Windows platforms ):
1. Use Windows hook to monitor the address bar of IE or other browsers. If the address bar contains www or HTTP, modify these URLs so that they cannot access the corresponding URLs. This method may be relatively easy to implement, but it is not accurate and cannot limit all Internet Access software. It may be more effective to confuse minor children.
2. SPI-based data packet filtering. Write your own Winsock service provider (SPI) to filter out non-conforming packets, such as data packets accessing the Internet. This method is described below.
3. Use the wsaioctl feature of WinSock 2 to filter packets. WinSock 2 allows the program to use wsaioctl () to set the sio_rcvall attribute for a socket of the sock_raw type, so that the socket can receive all data passing through the local machine. For more information about this method, see "sniffer-ipmon without driver"
The preceding three methods are implemented in user-mode. The advantage is convenient implementation. programmers do not need to understand the driver knowledge. The disadvantage is that some data packets may be missed. For example, some virus software may not access the network through the socket interface, in this way, user-state programs cannot capture these packages. However, because our goal is to restrict normal users from accessing the Internet, rather than using firewalls, the 2nd methods are basically acceptable. As for the 3rd methods, according to document 1, we often cannot see the packets sent from the local machine. I did not perform the test carefully. If you are interested, you can try it on your own.
The 2nd methods mainly refer to the article "principles and implementation of SPI-based datagram filtering" in "online magazine 20th" in the VC knowledge base ". Windows also has an example of layered.zip. In addition, in Windows Network Programming Technology (translated by Anthony Jones and published by machine engineers), Chapter 1 "Winsock2 Service Provider Interface" in this book details SPI knowledge.
The following describes the implementation scheme. Take a computer in a LAN as an example. The goal is to avoid internet access, but access the LAN. We know that there are two ways for PC to access the Internet: A to access the Internet through the gateway (router), B to access the Internet through the proxy server.
For a, the addresses used to access the Internet are all public addresses. We directly filter them out through our transmission service provider. As follows:

Int wspapi wspsendto (socket S, lpwsabuf lpbuffer, DWORD dwbuffercount, lpdword average, DWORD dwflags, const struct sockaddr far * lpto, int itolen, struct, struct, lpwsathreadid lpthreadid, lpint lperrno) {struct sockaddr_in sin; sin = * (const struct sockaddr_in *) lpto; // filter out the packets whose access address is not a Local Area Network. The following is simply considered as 192. 168. *. * It is the IP address of the LAN. The specific requirement is // root. Set according to different lan network addresses. If (192! = Sin. sin_addr.s_un.s_un_ B .s_b1) {outputdebugstring (_ T ("wspsendto Tencent filtered"); Return 0;} else {return nextproctable. lpwspsendto (S, lpbuffer, dwbuffercount, lpnumberofbytessent, dwflags, lpto, itolen, lpoverlapped, lpcompletionroutine, lpthreadid, lperrno );}}

For B, since a PC accesses the Internet through a proxy in the LAN, all its online data packets are sent to the local proxy first, and then the proxy returns the requested webpage to it, therefore, it accesses the Internet indirectly, And the packets sent when it accesses the Internet are the IP addresses of the LAN. In this way, the above filter rules are not applicable. What should I do? We can first obtain the Proxy Server IP address and port number of IE, and then compare the package address and port number with the proxy IP address and port number of IE. If both are equal, filter this package. In this way, the PC can access the Internet through proxy without affecting its access to the LAN resources of the proxy server.
You can use the following code to obtain the proxy server address and port number of IE:

INTERNET_PROXY_INFO *pIEinfo = NULL;DWORD dwSize = 0;BOOL bRet = InternetQueryOption(NULL, INTERNET_OPTION_PROXY, pIEinfo, &dwSize);pIEinfo = (INTERNET_PROXY_INFO*)new char[dwSize];bRet = InternetQueryOption(NULL, INTERNET_OPTION_PROXY, pIEinfo, &dwSize);       

Conclusion
In this way, the two ways to access the Internet are blocked, to limit the PC to access the Internet. Welcome to the discussion.