mac/ip match

mac/ip match

[M. Ziya Ozudogru]

Hi 

Any hints about the following problem will be appreciated. Thanks a
lot...

I want to assure that only given ip/mac matches will access to the
internet (i mean if someone takes the ip that does not belong to his/her
mac address no access will be given) . I will give the ip to the mac
address by the dhcp..

In my knowledge, i want to set these ip/mac groups using the command:

arp -s ip mac

and i want to redirect unused ip to an unused mac with the same way...

Here comes the problem.. How can i define in iptables to use these arp
rules and give access only the one addresses that match the rules and
should block all the others ( well i want to block the others [unused ip
addresses by using iptables mac macth module ] ) . ? Any hints ?

Thanks for your valuable help...

Re: mac/ip match

[Cedric Blancher]

Le jeu 18/09/2003 à 20:26, M. Ziya Ozudogru a écrit :
> Here comes the problem.. How can i define in iptables to use these arp
> rules and give access only the one addresses that match the rules and
> should block all the others ( well i want to block the others [unused ip
> addresses by using iptables mac macth module ] ) . ? Any hints ?

See mac match :

cbr@elendil:~$ iptables -m mac --help
[...]
MAC v1.2.8 options:
 --mac-source [!] XX:XX:XX:XX:XX:XX
                                Match source MAC address

Now, you just have to implement rules matching source mac address and
source IP address.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: mac/ip match

[M. Ziya Ozudogru]

Thanks for your help but how can i assure that given mac is using the ip
i assign to it? And if it is using its assigned ip it should pass if it
is not it should be blocked
On Thu, 2003-09-18 at 21:57, Cedric Blancher wrote:
> Le jeu 18/09/2003 à 20:26, M. Ziya Ozudogru a écrit :
> > Here comes the problem.. How can i define in iptables to use these arp
> > rules and give access only the one addresses that match the rules and
> > should block all the others ( well i want to block the others [unused ip
> > addresses by using iptables mac macth module ] ) . ? Any hints ?
> 
> See mac match :
> 
> cbr@elendil:~$ iptables -m mac --help
> [...]
> MAC v1.2.8 options:
>  --mac-source [!] XX:XX:XX:XX:XX:XX
>                                 Match source MAC address
> 
> Now, you just have to implement rules matching source mac address and
> source IP address.

Re: mac/ip match

[Cedric Blancher]

Le jeu 18/09/2003 à 21:04, M. Ziya Ozudogru a écrit :
> Thanks for your help but how can i assure that given mac is using the ip
> i assign to it? And if it is using its assigned ip it should pass if it
> is not it should be blocked

If all your rules are this kind :

	iptables -A FORWARD -m mac --mac-source $MAC -s $IP -j ACCEPT

Then an unknown MAC address won't be able to get through and a known one
will accepted _only_ if used with correct source IP. Isn't it what you
wanted or am I missing something ?

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: mac/ip match

[M. Ziya Ozudogru]

Thanks a lot for your valuable help. I think this will solve my problem
On Thu, 2003-09-18 at 22:17, Cedric Blancher wrote:
> Le jeu 18/09/2003 à 21:04, M. Ziya Ozudogru a écrit :
> > Thanks for your help but how can i assure that given mac is using the ip
> > i assign to it? And if it is using its assigned ip it should pass if it
> > is not it should be blocked
> 
> If all your rules are this kind :
> 
> 	iptables -A FORWARD -m mac --mac-source $MAC -s $IP -j ACCEPT
> 
> Then an unknown MAC address won't be able to get through and a known one
> will accepted _only_ if used with correct source IP. Isn't it what you
> wanted or am I missing something ?

Re: mac/ip match

[Cedric Blancher]

Le ven 19/09/2003 à 12:40, M. Ziya Ozudogru a écrit :
> Thanks a lot for your valuable help. I think this will solve my problem

You're welcome.

If you want to go further, you can have a look to ebtables (layer 2
filtering) and arptables (for 2.6) on http://ebtables.sourceforge.net/
that provide you valuable functionnalities.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE