howto bind Mac to ip address

howto bind Mac to ip address

[Tariq Anwer]

[-- Attachment #1: Type: text/plain, Size: 648 bytes --]

Hi!

I'm a new to Linux, I want to setup Linux NAT box for a small LAN with selective services to allow like only browsing for staff and other services for management like ftp msn chatting etc.

 

1.>  I want to bind each MAC address to his or her assigned IP address so nobody should mess around to change his or her IP's.

 

2.> I want to allow selective MAC addresses each time, so they are not allowed to use it all the time or I can block them whenever I want to.

 

I will highly appreciate if anybody could help me or direct me to any web site or article to build this Box successfully.

 

Best regards,

 

Alien

[-- Attachment #2: Type: text/html, Size: 1789 bytes --]

Re: [iptables] howto bind Mac to ip address

[Paul Cousins]

[-- Attachment #1: Type: text/plain, Size: 2000 bytes --]

.>  I want to bind each MAC address to his or her assigned IP address so nobody should mess around to change his or her IP's.

look into dhcpd from the internet consortium www.isc.org/products/DHCP/ 99.9% of all linux release's come with so its a case of RTM and go from there but its very easy to configure espically with something like webmin.

2.> I want to allow selective MAC addresses each time, so they are not allowed to use it all the time or I can block them whenever I want to.



iptables can filter by mac address and ip adress so deny all users but those you wish to allow. A script with an allow variable in it would be you best bet as you coud add and remove users very quickly form the script then simply run and you new rules will be implemented immediately.



simple cron scripts with drop or deny rules set to run at times you wish to deny access will restrict the users. there may be an easy way not sure?. 





hope this points you in the rigth direction.

------------------------------------------------
Paul Cousins
Canterbury Computer Services
paul@canterburycomputerservices.co.uk


  ----- Original Message ----- 
  From: Tariq Anwer 
  To: netfilter@lists.netfilter.org 
  Sent: Monday, August 11, 2003 9:17 AM
  Subject: [iptables] howto bind Mac to ip address


  Hi!

  I'm a new to Linux, I want to setup Linux NAT box for a small LAN with selective services to allow like only browsing for staff and other services for management like ftp msn chatting etc.

   

  1.>  I want to bind each MAC address to his or her assigned IP address so nobody should mess around to change his or her IP's.

   

  2.> I want to allow selective MAC addresses each time, so they are not allowed to use it all the time or I can block them whenever I want to.

   

  I will highly appreciate if anybody could help me or direct me to any web site or article to build this Box successfully.

   

  Best regards,

   

  Alien

[-- Attachment #2: Type: text/html, Size: 4945 bytes --]

Re: howto bind Mac to ip address

[Ramin Dousti]

On Mon, Aug 11, 2003 at 01:17:28PM +0500, Tariq Anwer wrote:

> Hi!

Hello,

You know that the MAC address is only visible on the same ethernet link.
Having said this, How are the IP addresses being assigned? If it's by
DHCP, then you can assign each MAC, a well-known IP and filter based on
that IP... If not, then you must be on the same ethernet link and just
use the the mac module (see "man iptables" and look for mac).

Ramin

> 
> I'm a new to Linux, I want to setup Linux NAT box for a small LAN with selective services to allow like only browsing for staff and other services for management like ftp msn chatting etc.
> 
>  
> 
> 1.>  I want to bind each MAC address to his or her assigned IP address so nobody should mess around to change his or her IP's.
> 
>  
> 
> 2.> I want to allow selective MAC addresses each time, so they are not allowed to use it all the time or I can block them whenever I want to.
> 
>  
> 
> I will highly appreciate if anybody could help me or direct me to any web site or article to build this Box successfully.
> 
>  
> 
> Best regards,
> 
>  
> 
> Alien

Re: howto bind Mac to ip address

[Cedric Blancher]

Le lun 11/08/2003 à 15:05, Ramin Dousti a écrit :
> You know that the MAC address is only visible on the same ethernet link.
> Having said this, How are the IP addresses being assigned? If it's by
> DHCP, then you can assign each MAC, a well-known IP and filter based on
> that IP...

A malicious user can reconfigure manually its interface, or use ARP
cache poisoning to redirect trafic in order to listen/tamper/redirect
trafic or spoof another host. A good way to enforce IP/MAC associations
is static ARP cache :

	arp -s <HW> <IP> [-i <iface>]

Or :

	arp -f <file> [-i <iface>]

This way, you're sure your firewall won't answer a request from an IP
that uses a wrong MAC address.

> If not, then you must be on the same ethernet link and just
> use the the mac module (see "man iptables" and look for mac).

Netfilter mac match brings a second security layer that is redundant
with static ARP cache (redundancy is good for security stuff) especially
for logging MAC address change attempts.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: howto bind Mac to ip address

[Ramin Dousti]

On Mon, Aug 11, 2003 at 03:28:31PM +0200, Cedric Blancher wrote:

> > You know that the MAC address is only visible on the same ethernet link.
> > Having said this, How are the IP addresses being assigned? If it's by
> > DHCP, then you can assign each MAC, a well-known IP and filter based on
> > that IP...
> 
> A malicious user can reconfigure manually its interface, or use ARP
> cache poisoning to redirect trafic in order to listen/tamper/redirect
> trafic or spoof another host. A good way to enforce IP/MAC associations
> is static ARP cache :
> 
> 	arp -s <HW> <IP> [-i <iface>]
> 
> Or :
> 
> 	arp -f <file> [-i <iface>]
> 
> This way, you're sure your firewall won't answer a request from an IP
> that uses a wrong MAC address.

Absolutely. But let's back off a bit and take a look at the picture as a whole.
We're talking about the internal users here. If someone is so ambisious to do
what you said, be sure they can do even more harm to you. Besides, are you
going to implement this at every single router on any LAN segment you have
internally? Or is this solution meant for VSOHO?

But, your point taken :-)

Ramin

> 
> > If not, then you must be on the same ethernet link and just
> > use the the mac module (see "man iptables" and look for mac).
> 
> Netfilter mac match brings a second security layer that is redundant
> with static ARP cache (redundancy is good for security stuff) especially
> for logging MAC address change attempts.
> 
> -- 
> http://www.netexit.com/~sid/
> PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: howto bind Mac to ip address

[Cedric Blancher]

Le lun 11/08/2003 à 15:48, Ramin Dousti a écrit :
> Absolutely. But let's back off a bit and take a look at the picture as a whole.
> We're talking about the internal users here. If someone is so ambisious to do
> what you said, be sure they can do even more harm to you.

Without any doubt. This is a paranoid mesure to prevent mighty lusers or
big evil 3lle7 crackers who managed to get into the LAN to mess around
;)

> Besides, are you going to implement this at every single router on any
> LAN segment you have internally? Or is this solution meant for VSOHO?

Well, I do not think implementing a static ARP cache on the Linux NAT
box will be more a burden than doing almost the same using iptables with
mac match (as far as I understand what OP wants).

I mean once you have done this for one purpose (e.g. DHCP MAC based
assignement), there's not much left to do to generate a /etc/ethers like
file for filling ARP cache or generate a basic iptables ruleset.

> But, your point taken :-)

Was just for info and discussion, not for contradiction. Most of the
time, DHCP assignement as you told before is far sufficient to provide
an acceptable way to associate MAC and IP.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

RE: howto bind Mac to ip address

[Sebastian]

Hi!

Just a general hint. If I understand u correcty, you'll bind MAC- to
IP-Adresses to apply different filters/restritions to each clients. But
you have to keep in mind, if the users of the client systems have root
privileges they are able to alter their MAC-Address with most modern
Ethernet-Adapters. Also many Windows-Drivers have these capabilities,
too. This could easily be used to bypass your resriction.

Greets
Sebastian.

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Tariq Anwer
Sent: Monday, August 11, 2003 10:17 AM
To: netfilter@lists.netfilter.org
Subject: howto bind Mac to ip address


Hi!

I'm a new to Linux, I want to setup Linux NAT box for a small LAN with
selective services to allow like only browsing for staff and other
services for management like ftp msn chatting etc.
 
1.>  I want to bind each MAC address to his or her assigned IP address
so nobody should mess around to change his or her IP's.
 
2.> I want to allow selective MAC addresses each time, so they are not
allowed to use it all the time or I can block them whenever I want to.
 
I will highly appreciate if anybody could help me or direct me to any
web site or article to build this Box successfully.
 
Best regards,
 
Alien

RE: [iptables] howto bind Mac to ip address

[George Vieira]

[-- Attachment #1: Type: text/plain, Size: 2759 bytes --]

There is also a "time" patch which can allow rules to be active at certain times.. ie. browse only during lunch time.. ;) etc etc..
This would make it easier than a crontab... but both just as easy..
 

Thanks,

 
____________________________________________
George Vieira
Citadel Computer Systems Pty Ltd Systems Manager georgev AT citadelcomputer DOT com DOT au 
Citadel Computer Systems Pty Ltd
Phone : +61 2 9955 2644 HelpDesk: +61 2 9955 2698  <http://www.citadelcomputer.com.au/> http://www.citadelcomputer.com.au
 
 
-----Original Message-----
From: Paul Cousins [mailto:paul@pimper.fsnet.co.uk]
Sent: Monday, August 11, 2003 8:34 PM
To: netfilter@lists.netfilter.org
Subject: Re: [iptables] howto bind Mac to ip address


.>  I want to bind each MAC address to his or her assigned IP address so nobody should mess around to change his or her IP's.
 
look into dhcpd from the internet consortium www.isc.org/products/DHCP/ 99.9% of all linux release's come with so its a case of RTM and go from there but its very easy to configure espically with something like webmin.
 

2.> I want to allow selective MAC addresses each time, so they are not allowed to use it all the time or I can block them whenever I want to.

 

iptables can filter by mac address and ip adress so deny all users but those you wish to allow. A script with an allow variable in it would be you best bet as you coud add and remove users very quickly form the script then simply run and you new rules will be implemented immediately.

 

simple cron scripts with drop or deny rules set to run at times you wish to deny access will restrict the users. there may be an easy way not sure?. 

 

 

hope this points you in the rigth direction.

------------------------------------------------
Paul Cousins
Canterbury Computer Services
paul@canterburycomputerservices.co.uk
 
 

----- Original Message ----- 
From: Tariq Anwer <mailto:alien@aol.com.pk>  
To: netfilter@lists.netfilter.org 
Sent: Monday, August 11, 2003 9:17 AM
Subject: [iptables] howto bind Mac to ip address

Hi!
 

I'm a new to Linux, I want to setup Linux NAT box for a small LAN with selective services to allow like only browsing for staff and other services for management like ftp msn chatting etc.

 

1.>  I want to bind each MAC address to his or her assigned IP address so nobody should mess around to change his or her IP's.

 

2.> I want to allow selective MAC addresses each time, so they are not allowed to use it all the time or I can block them whenever I want to.

 

I will highly appreciate if anybody could help me or direct me to any web site or article to build this Box successfully.

 

Best regards,

 

Alien


[-- Attachment #2: Type: text/html, Size: 8466 bytes --]