| View previous topic :: View next topic |
| Author |
Message |
nivis
n00b
Joined: 25 Apr 2003
Posts: 9
|
 Posted: Thu Jul 06, 2006 7:27 pm Post subject: Internet access for dhcp clients |
 |
|
Hi
I'm running a small home network with a gentoo box as a firewall (shorewall).
I've just emerged dhcp so I can connect all my local stations through dhcp.
My question is how I can restrict internet access only for dhcp clients?
As it is right now, I can enter a static internal ip adress on any local stations and still
have internet access.
Any ideas??
/Nivis |
|
| Back to top |
|
 |
Mroofka
Guru
Joined: 25 Jan 2005
Posts: 369
Location: Poland
|
| Posted: Thu Jul 06, 2006 7:56 pm Post subject: |
|
|
if dhcp is working and clients gets adresses you can configure "static dhcp" it meens that you have to get all mac's from your clients configure dhcp to asign ip's to mac's and after it only them will have access to dhcp. Moreover you can make /etc/ethers (or something similar) with:
192.168.1.1 valid mac
ip valid mac
ip valid mac
for people who shoud have internet and for ather ip from you network
ip 00:00:00:00:00:00
nad then
arp -f /etc/ethers
In this way you block all addreses except thouse who should have access
I hope this is clear enough to understand 
Pozdrawiam
_________________
"Make install not love"
registred linux User # 379143
"Ready for Anything; Prepared for everything; Surprised by Nothing !" |
|
| Back to top |
|
|
nivis
n00b
Joined: 25 Apr 2003
Posts: 9
|
| Posted: Thu Jul 06, 2006 8:41 pm Post subject: |
|
|
Yeah I understand
But in this way I must know all my clients mac adresses.
I want a more dynamic solution that every computer that
recieves an ip address from my dhcp server automaticly
get's internet access.
/Nivis |
|
| Back to top |
|
|
Mroofka
Guru
Joined: 25 Jan 2005
Posts: 369
Location: Poland
|
| Posted: Thu Jul 06, 2006 11:37 pm Post subject: |
|
|
If you don't assigne ip's to mac's you don't have any control on this who is connecting to your network. No matter if you use dhcp or static ip's.
If you use dhpc any box with dchp client (default in windows after pluggin the netcard) will have access so the problem is even biggier than with static ip's.
I'm very ciorious why and what for block those who have static ip's if anyone can use dhcp to get access and you still don't have any control ??
I don't know the solution for your problem , maby somone else will .
Pozdrawiam
_________________
"Make install not love"
registred linux User # 379143
"Ready for Anything; Prepared for everything; Surprised by Nothing !" |
|
| Back to top |
|
|
Kaddy
n00b
Joined: 27 Jan 2005
Posts: 29
|
| Posted: Fri Jul 07, 2006 12:55 am Post subject: |
|
|
you'd have to do the MAC filter thing for dhcp, it isn't that hard, you cna basically do it like this.
| Code: | group {
host hostname1 { hardware ethernet <mac goes here>; }
host hostname2 { hardware ethernet <mac goes here>; }
} |
then do something like this in your dhcpd.conf file and add something like this:
| Code: | pool {
max-lease-time 28800;
range 10.0.0.5 10.0.0.15;
deny unknown-clients;
} |
|
|
| Back to top |
|
|
Headrush
Watchman
Joined: 06 Nov 2003
Posts: 5597
Location: Bizarro World
|
| Posted: Fri Jul 07, 2006 1:46 am Post subject: |
|
|
Mroofka and Kaddy are right.
If you don't use the MAC filtering, the constraints you are trying to create can easily be bypassed/"forged". |
|
| Back to top |
|
|
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Fri Jul 07, 2006 6:32 am Post subject: Re: Internet access for dhcp clients |
|
|
| nivis wrote: | My question is how I can restrict internet access only for dhcp clients?
As it is right now, I can enter a static internal ip adress on any local stations and still
have internet access. |
dump(?) idea:
Create a script on server side which reads the dhcp lease file to check which leases are 'given out' at the moment.
Based on that create a whitelist for iptables - all others will be dropped.
Put this into cron to rune once per minute.
With that only active leases are allowed to connect 'outwards'.
You shouldn't forget though to leave open bootp/dhcp open to all (otherwise it would be a bit tricky to get a dhcp lease  ); same with other services on your server which are not 'only dhcp clients should be able to'.
*edit* fixed typos
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself
Last edited by think4urs11 on Fri Jul 07, 2006 6:50 pm; edited 1 time in total |
|
| Back to top |
|
|
Kaddy
n00b
Joined: 27 Jan 2005
Posts: 29
|
| Posted: Fri Jul 07, 2006 6:47 pm Post subject: |
|
|
the other thing that you could do, seeing as that the dhcpd.conf idea is only HALF of what you'd have to do, I just realised that, you'd have to do something with iptables as well to deny IPs that are static on the client.
| Code: | # iptables -P INPUT DROP <-- default action to drop on INPUT
# iptables -A INPUT -i eth0 -j ACCEPT <-- accept incoming connections from internet (assuming that you are NATing)
# iptables -A INPUT -i eth1 -m mac --mac-source <valid mac goes here> -j ACCEPT |
granted, you'll have to do that every time that you are adding a new machine.
I am doing this at home, so, I simplified it an made a little thing that you just have to enter the MAC address for
| Code: | #!/bin/bash
# MAC Address Filter
echo -e "Enter Client MAC Address: \c"
read MAC
iptables -A INPUT -i eth0 -m mac --mac-source $MAC -j ACCEPT
|
it just basically adds the clent MAC that you add |
|
| Back to top |
|
|
|
Networking & Security
