ip + mac authentication

ip + mac authentication

[Linux Query]

Hi all!

I want to ensure that each of my clients can have
access to the net only with the ip address which is
specifically assigned to him / her. Is the following
going to work ?

iptables -I FORWARD -o externalinterface -s
xx.xx.xx.xx -m mac --mac-source yy:yy:yy:yy:yy -j
ACCEPT

or is it required to be done in some other way ?


thanks and regards to all,
jim.


		
__________________________________ 
Do you Yahoo!? 
The all-new My Yahoo! - Get yours free! 
http://my.yahoo.com 
 

Re: ip + mac authentication

[George Alexandru Dragoi]

You can make a file with pairs of <ip> <mac> and load it with arp -f ,
or man ethers then you can make firewall rules based on ips only, of
course don;t forget to drop traffic in FORWARD which not match your
clients's source ip.


On Wed, 19 Jan 2005 02:36:03 -0800 (PST), Linux Query
<linux_query@yahoo.com> wrote:
> 
> Hi all!
> 
> I want to ensure that each of my clients can have
> access to the net only with the ip address which is
> specifically assigned to him / her. Is the following
> going to work ?
> 
> iptables -I FORWARD -o externalinterface -s
> xx.xx.xx.xx -m mac --mac-source yy:yy:yy:yy:yy -j
> ACCEPT
> 
> or is it required to be done in some other way ?
> 
> thanks and regards to all,
> jim.
> 
> 
> __________________________________
> Do you Yahoo!?
> The all-new My Yahoo! - Get yours free!
> http://my.yahoo.com
> 
> 


-- 
Bla bla

Re: ip + mac authentication

[Linux Query]

--- George Alexandru Dragoi <waruiinu@gmail.com>
wrote:

> You can make a file with pairs of <ip> <mac> and
> load it with arp -f ,
> or man ethers then you can make firewall rules based
> on ips only, of
> course don;t forget to drop traffic in FORWARD which
> not match your
> clients's source ip.
> 

Thank you! I didnt know about the /etc/ethers file. Is
it possible to assign two ips for a single mac in that
file and a single ip for two macs ?

e.g.   ip1   <mac1>
       ip2   <mac1> 

and
       ip3   <mac2>
       ip3   <mac3>  
      
Besides, if i leave out some of the clients from the
/etc/ethers file (I dont know all mac addresses right
now) , will it create problems for those who are not
included ?

Thanks and regards,
jim




		
__________________________________ 
Do you Yahoo!? 
Meet the all-new My Yahoo! - Try it today! 
http://my.yahoo.com 
 

Re: ip + mac authentication

[Jason Opperisano]

On Wed, 2005-01-19 at 05:36, Linux Query wrote:
> Hi all!
> 
> I want to ensure that each of my clients can have
> access to the net only with the ip address which is
> specifically assigned to him / her. Is the following
> going to work ?
> 
> iptables -I FORWARD -o externalinterface -s
> xx.xx.xx.xx -m mac --mac-source yy:yy:yy:yy:yy -j
> ACCEPT
> 
> or is it required to be done in some other way ?

looks good to me.  you may want to specify "-i $INTERNAL_INTERFACE" as
well, but that's just me.

-j

--
"It is better to remain silent and thought a fool, than open your
 mouth and remove all doubt."
	--The Simpsons

Re: ip + mac authentication

[René Gallati]

On Wed, 19 Jan 2005 02:36:03 -0800 (PST), Linux Query
<linux_query@yahoo.com> wrote:
> 
> Hi all!
> 
> I want to ensure that each of my clients can have
> access to the net only with the ip address which is
> specifically assigned to him / her. Is the following
> going to work ?
> 
> iptables -I FORWARD -o externalinterface -s
> xx.xx.xx.xx -m mac --mac-source yy:yy:yy:yy:yy -j
> ACCEPT
> 
> or is it required to be done in some other way ?
> 

You already received advice on how it can be done. I'll just add here
that you should not forget that changing one's MAC address is as easy
as changing an IP address. Many people blindly believe it is not
possible or hard to change a MAC address but it is in fact very easy.

So all you can do is really force an IP/MAC pair, but you cannot
prevent that someone impersonates another system that is also allowed
to communicate.

-- 
C U

     - -- ---- ----- -----/\/  René Gallati  \/\---- ----- --- -- -

Re: ip + mac authentication

[Daniel VRABIOIU]

arp -f only force for an ip a static mac. so you cant specify 2 mac 
addresses or 2 ips in ethers. you can do that using iptables instead.
also, if you dont know the mac associated with an ip then you can ping 
it then use arp to see it. if an ip isnt listed in ethers then it can be 
used with any mac address.


Linux Query wrote:

>Thank you! I didnt know about the /etc/ethers file. Is
>it possible to assign two ips for a single mac in that
>file and a single ip for two macs ?
>
>e.g.   ip1   <mac1>
>       ip2   <mac1> 
>
>and
>       ip3   <mac2>
>       ip3   <mac3>  
>      
>Besides, if i leave out some of the clients from the
>/etc/ethers file (I dont know all mac addresses right
>now) , will it create problems for those who are not
>included ?
>
>Thanks and regards,
>jim
>  
>

Re: ip + mac authentication

[Linux Query]

--- Daniel VRABIOIU <danyvip@pattco.ro> wrote:

> arp -f only force for an ip a static mac. so you
> cant specify 2 mac 
> addresses or 2 ips in ethers. you can do that using
> iptables instead.
> also, if you dont know the mac associated with an ip
> then you can ping 
> it then use arp to see it. if an ip isnt listed in
> ethers then it can be 
> used with any mac address.
> 


Thanks to all who replied.

jim. 


		
__________________________________ 
Do you Yahoo!? 
The all-new My Yahoo! - What will yours do?
http://my.yahoo.com 

Re: ip + mac authentication

[R. DuFresne]

man arp would be a good place to start, prior to asking here perhaps?

Thanks,

Ron DuFresne


On Wed, 19 Jan 2005, Linux Query wrote:

> 
> --- George Alexandru Dragoi <waruiinu@gmail.com>
> wrote:
> 
> > You can make a file with pairs of <ip> <mac> and
> > load it with arp -f ,
> > or man ethers then you can make firewall rules based
> > on ips only, of
> > course don;t forget to drop traffic in FORWARD which
> > not match your
> > clients's source ip.
> > 
> 
> Thank you! I didnt know about the /etc/ethers file. Is
> it possible to assign two ips for a single mac in that
> file and a single ip for two macs ?
> 
> e.g.   ip1   <mac1>
>        ip2   <mac1> 
> 
> and
>        ip3   <mac2>
>        ip3   <mac3>  
>       
> Besides, if i leave out some of the clients from the
> /etc/ethers file (I dont know all mac addresses right
> now) , will it create problems for those who are not
> included ?
> 
> Thanks and regards,
> jim
> 
> 
> 
> 
> 		
> __________________________________ 
> Do you Yahoo!? 
> Meet the all-new My Yahoo! - Try it today! 
> http://my.yahoo.com 
>  
> 
> 

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

...Love is the ultimate outlaw.  It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice.  Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question.  The words
"make" and "stay" become inappropriate.  My love for you has no
strings attached.  I love you for free...
                        -Tom Robins <Still Life With Woodpecker>