DHCP /MAC

DHCP /MAC

[kannel sms]

[-- Attachment #1: Type: text/plain, Size: 2156 bytes --]

Dear Friends , 
 
i think u all can help me .
I have DHCP server . That is allow for dialup/Cable modem users . So that users use that certain modems . That all modems have MAC adderesses . Those modems providing by us . 
So those valid modems has known MAC addresses . If unknow modem connected to the modem that will be restyrict by the firewall .
 
Actually i want  to block unknown MACs and allow the other all known MACs .
 
I have did some configurations in iptables but it doesn't work . Currently i'm testing this concept in a LAN with 5 PCs . 
 

######################################################################################################################iptables -P INPUT DROPiptables -P FORWARD DROPiptables -P OUTPUT DROP#######################################################################################################################iptables -A INPUT -i lo -m state --state NEW -j ACCEPTiptables -A OUTPUT -o lo -m state --state NEW -j ACCEPTiptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPTiptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPTiptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPTiptables -A OUTPUT -m state --state NEW -j ACCEPT######################################################################################################################iptables -A INPUT -p udp -s 192.168.30.0/24 --dport 67 -i ! eth0 -m state --state NEW -m mac --mac-source 00:50:BA:50:36:25 -j ACCEPTiptables -A INPUT -p tcp -s 192.168.30.0/24 --dport 67 -i ! eth0 -m state --stat
 e NEW -m
 mac --mac-source 00:50:BA:50:36:25 -j ACCEPTiptables -A INPUT -p udp -s 192.168.30.0/24 --dport 68 -i ! eth0 -m state --state NEW -m mac --mac-source 00:50:BA:50:36:25 -j ACCEPTiptables -A INPUT -p tcp -s 192.168.30.0/24 --dport 68 -i ! eth0 -m state --state NEW -m mac --mac-source 00:50:BA:50:36:25 -j ACCEPT#####################################################################################################################pls help me .............where can be the problem 

 

 

thanx

 
 


---------------------------------
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard

[-- Attachment #2: Type: text/html, Size: 2434 bytes --]

Re: DHCP /MAC

[Antony Stone]

On Saturday 08 November 2003 10:42 am, kannel sms wrote:

> Dear Friends ,
>
> I have DHCP server . That is allow for dialup/Cable modem users . So that
> users use that certain modems . That all modems have MAC adderesses . Those
> modems providing by us . So those valid modems has known MAC addresses . If
> unknow modem connected to the modem that will be restyrict by the firewall

I have never seen a modem with a MAC address.

> Actually i want  to block unknown MACs and allow the other all known MACs .
>
> I have did some configurations in iptables but it doesn't work . Currently
> i'm testing this concept in a LAN with 5 PCs .

When you say "it doesn't work", what do you mean?   Valid users are not 
allowed access, or invalid users are not denied access?

I think a good move would be to put a LOG rule into your ruleset so that you 
can see the MAC address of the packets being seen by netfilter as well as the 
source & destination IP addresses - that should help you to identify why your 
rules are not matching packets the way you want them to.

Regarding what you are trying to do, however, why not simply set the DHCP 
server to only give out IP addresses to an approved list of MAC addresses 
(what is generally called bootp mode)?

Antony.

-- 

Documentation is like sex:
when it's good, it's very very good;
when it's bad, it's still better than nothing.
                                                     Please reply to the list;
                                                           please don't CC me.

Re: DHCP /MAC

[Antony Stone]

On Saturday 08 November 2003 11:12 am, kannel sms wrote:

> Dear Sir ,
>
> if i put in the DHCP server that ip will fixed for the
> relavent user. So i can't server the ip like that .
> Dynamically that all ips must assign to the users.so
> tha's why i try use iptables firewall .

Okay, that's a good reason why you can't use the bootp mode of your DHCP 
server.

> Sir , actually i'm new to iptables . pls guide me how
> to do this configuration for DHCP via iptables .

I still find it hard to believe that your modem users have MAC addresses - 
all dialup systems I have seen use PPP Point to Point Protocol and there is 
no MAC address identifying the remote system.

However, I could be wrong, and the way to check this is with the LOG rule I 
already recommended, so you can see the MAC address and source / destination 
IP addresses of the packets coming in to your netfilter machine.

Antony.

-- 

If at first you don't succeed, destroy all the evidence that you tried.
                                                     Please reply to the list;
                                                           please don't CC me.

RE: DHCP /MAC

[Rob Sterenborg]

> I still find it hard to believe that your modem users have 
> MAC addresses - all dialup systems I have seen use PPP Point 
> to Point Protocol and there is no MAC address identifying the 
> remote system.

I agree to this part, but he was talking about dialup/cable access.
When I had cable access from Chello/UPC I had a LanCity modem and it
actually had a MAC address. (Which could be abused to get higher up/down
bandwith.)


Gr,
Rob

Re: DHCP /MAC

[Antony Stone]

On Saturday 08 November 2003 11:43 am, kannel sms wrote:

> This dhcp server specially allcate for Cable modem
> system . That cable modem has a MAC addresses. I'm
> sure.

Yes, a cable modem will have a MAC address.   Your first posting mentioned 
dial-up users, so I assumed you meant standard analogue telephone system 
dial-up modems.

> If u can tell me how to implement that MAC blocking
> for the LAN , i can manage that methods for cable
> modem as well.

I would create a user-defined chain which ACCEPTs the desired MAC addresses 
and DROPs all others:

iptables -N MACcheck
iptables -A MACcheck -m mac --mac-source aa.bb.cc.dd.ee.ff -j ACCEPT
iptables -A MACcheck -m mac --mac-source uu.vv.ww.xx.yy.zz -j ACCEPT
iptables -A MACcheck -j DROP

(Add as many ACCEPT lines as you want to match MAC addresses)

Then, if you want to restrict packets coming in to the netfilter box itself:

iptables -I INPUT -i eth0 -j MACcheck

or if you want to restrict packets going through the netfilter box to 
somewhere else:

iptables -I INPUT -i eth0 -j MACcheck

(Adjust eth0 for whichever interface your cable modems are connected).

Antony.

PS: If you want to reply, please reply to the list, not to me personally.

-- 

You can spend the whole of your life trying to be popular,
but at the end of the day the size of the crowd at your funeral
will be largely dictated by the weather.

 - Frank Skinner
                                                     Please reply to the list;
                                                           please don't CC me.

DHCP /MAC

[kannel sms]

As u said i did all , but it will not reach my
requirement, because when i added that rule with a
specific MAC address , according to ur mail it will
allow  to get all the dhcp facilities . 
But other machines also doing samething . so seems to
be somewhere has a small problem , 

i will give u my tabless info

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
#######################################################################################################################
iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o lo -m state --state NEW -j
ACCEPT

iptables -A INPUT -m state --state RELATED,ESTABLISHED
-j ACCEPT
iptables -A OUTPUT -m state --state
RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state
RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state NEW -j ACCEPT
####################################################################################################################
iptables -N MACcheck
iptables -A MACcheck -m mac --mac-source
00.50.BA.50.36.25 -j ACCEPT
iptables -A MACcheck -j DROP

iptables -I INPUT -i eth0 -j MACcheck
######################################################################################################################
iptables -A INPUT -p udp -s 192.168.30.0/24 --dport 67
-i eth0 -m state --state NEW -m mac --mac-source
00:50:BA:50:36:25 -j
ACCEPT
iptables -A INPUT -p tcp -s 192.168.30.0/24 --dport 67
-i eth0 -m state --state NEW -m mac --mac-source
00:50:BA:50:36:25 -j
ACCEPT

iptables -A INPUT -p udp -s 192.168.30.0/24 --dport 68
-i eth0 -m state --state NEW -m mac --mac-source
00:50:BA:50:36:25 -j
ACCEPT
iptables -A INPUT -p tcp -s 192.168.30.0/24 --dport 68
-i eth0 -m state --state NEW -m mac --mac-source
00:50:BA:50:36:25 -j
ACCEPT


__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree

RE: DHCP /MAC

[kannel sms]

That Transmission part is ok . what i'm doing is
assining a ip via dhcp server . but there must be the
firewall to block the unknown MAC . 
I don't try to block MAC addresses via DHCP . because
those assigning ips will not be the fixed for the
users. 
so overcome that problem i'm trying to use a iptables
firewall. 

Actually i'm new to iptables . i don't have exact idea
of how to block unknown MACs and allow trusted MACs.

so actually this is the thing that i want to do .
pls ...........can u knidly help me 



thanx 

--- Rob Sterenborg <rob@sterenborg.info> wrote:
> > I still find it hard to believe that your modem
> users have 
> > MAC addresses - all dialup systems I have seen use
> PPP Point 
> > to Point Protocol and there is no MAC address
> identifying the 
> > remote system.
> 
> I agree to this part, but he was talking about
> dialup/cable access.
> When I had cable access from Chello/UPC I had a
> LanCity modem and it
> actually had a MAC address. (Which could be abused
> to get higher up/down
> bandwith.)
> 
> 
> Gr,
> Rob
> 
> 


__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree

Re: DHCP /MAC

[Antony Stone]

On Saturday 08 November 2003 1:05 pm, kannel sms wrote:

> As u said i did all , but it will not reach my
> requirement, because when i added that rule with a
> specific MAC address , according to ur mail it will
> allow  to get all the dhcp facilities .
> But other machines also doing samething . so seems to
> be somewhere has a small problem ,

1. What *exactly* is not working correctly with the rules I suggested?   I 
still do not understand whether you are saying that machines which should 
have access are being blocked, or machines which should not have access are 
being allowed.

2. Have you tried adding a LOGging rule as I suggested to check exactly what 
MAC addresses are on the packets coming in to your machine, just to make sure 
the machine is seeing what you think it should?

Antony.

-- 

Mahatma Gandhi was once asked what he thought of Western Civilisation.

He replied, "That would be a very good idea."
                                                     Please reply to the list;
                                                           please don't CC me.

Re: DHCP /MAC

[Jeffrey Laramie]

[-- Attachment #1: Type: text/html, Size: 4132 bytes --]