Re: iptables and dhcp configuration
On 08/08/2012 12:56 PM, Jatin K wrote: is there any way or method available to configure iptables to allow only dhcp server assigned ip To acheive this * I setup a (CSV) file listing IP ans MAC * I write a script building the DHCP configuration file from it * I write an iptables script to forward only (IP, MAC) tuple, dropping whetever alse * I only use the CSV file when adding a new host to the LAN ** I flush+rebuild iptables rules restart DHCPd when I add a new host Drawback: - On the LAN, one can always steal an IP address - You need to control duplicate when LAN grows (mine is a /16) -- RMA. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
iptables and dhcp configuration
Dear all, is there any way or method available to configure iptables to allow only dhcp server assigned ip , means if user manually sets his/her systems ip address then Linux gateway(FC16) should reject it . user must use the ip address which is assigned by dhcp, ( dhcp server is running on the same machine where iptables are installed, and machine is acting as a gateway ) Warm Regards -- °v° /(_)\ ^ ^ Jatin Khatri RHCSA,RHCE,CCNA Registerd Linux user No #501175 www.linuxcounter.net No M$ -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: iptables and dhcp configuration
On Wed, 2012-08-08 at 15:26 +0530, Jatin K wrote: is there any way or method available to configure iptables to allow only dhcp server assigned ip , means if user manually sets his/her systems ip address then Linux gateway(FC16) should reject it . user must use the ip address which is assigned by dhcp, ( dhcp server is running on the same machine where iptables are installed, and machine is acting as a gateway ) You could script something so that a computer added to the DHCP pool gets added to the iptables rules, but can you actually achieve what you want? Are you simply blocking the client's access to the DHCP server (gateway on it)? That's easy enough to block via an IP rule. Are you trying to block the client to anything, in which case your gateway must actually be *between* the client and other things (merely being on the same network isn't enough). Otherwise, the gateway can simply be bypassed. And if a user manually assigns themselves the same IP, coincidentally, should it be allowed or blocked? Do you just care about the address, or do you need a DHCP client acknowledge? It sounds more like you need some sort of authentication system, rather than just IP assignment. -- [tim@localhost ~]$ uname -r 2.6.27.25-78.2.56.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: iptables and dhcp configuration
On 2012/08/08 04:52, Tim wrote: On Wed, 2012-08-08 at 15:26 +0530, Jatin K wrote: is there any way or method available to configure iptables to allow only dhcp server assigned ip , means if user manually sets his/her systems ip address then Linux gateway(FC16) should reject it . user must use the ip address which is assigned by dhcp, ( dhcp server is running on the same machine where iptables are installed, and machine is acting as a gateway ) You could script something so that a computer added to the DHCP pool gets added to the iptables rules, but can you actually achieve what you want? Are you simply blocking the client's access to the DHCP server (gateway on it)? That's easy enough to block via an IP rule. Are you trying to block the client to anything, in which case your gateway must actually be *between* the client and other things (merely being on the same network isn't enough). Otherwise, the gateway can simply be bypassed. And if a user manually assigns themselves the same IP, coincidentally, should it be allowed or blocked? Do you just care about the address, or do you need a DHCP client acknowledge? It sounds more like you need some sort of authentication system, rather than just IP assignment. Such a script has one significant problem. Let's go over what it must do. First the script would read the log file to determine DHCP activity. When it detects a newly assigned address it must allow it in iptables. When it discovers an address being relinquished it must disallow that address in iptables. That sounds fairly simple. What could possibly go wrong? Well, for one try pulling the Ethernet cable on a machine before you shut it down. There is no message for that machine relinquishing its address. So the address remains open. That's just one mechanism for failure of log monitoring techniques or any other technique that relies only on what DHCPD knows. So can we play smarter? I'd try the basic DHCP monitoring, Then I'd find or develop a tool for periodically (on a seconds basis) check to see if all the dhcp assigned boxes on the local net are still there. As soon as they are registered as not there a flag is set with the former MAC and IP addresses associated with the flag. If it remains disconnected for more than five minutes inform DHCPD, somehow, to forcibly flush the address that is no longer being used. That is generally going to be safe from a set of naive users. If you have ONE smart user who diagnoses what you are doing he can wait for a machine to go down, using the same technique you used to detect it, and jump in almost immediately spoofing that machine's MAC address. DHCP never learns that the machine is down. And you still have the system penetrated. Methinks what I'd do is put in two distinct network segments. One is open to the world. The other is open to the too easily hackable wireless router. Both get DHCP addresses from two different DHCP servers. The access from machine to machine would require an ssh login. As long as the ssh login remains the iptables configuration on the gateway machine would open up to the internal network using two way IP address translation to a distinct address per box. As soon as the ssh connection is shown to be down, the door slams shut. The ssh connection could simply send a small handshake packet periodically to perform this test. Methinks I'll look into implementing that latter trick. I sort of like it. And I have three different DHCP servers around here to play with in this regard. All I need is a very serous round-tu-it. {^_^} {^_^} -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: iptables and dhcp configuration
On 8/8/2012 5:56 AM, Jatin K wrote: Dear all, is there any way or method available to configure iptables to allow only dhcp server assigned ip , means if user manually sets his/her systems ip address then Linux gateway(FC16) should reject it . user must use the ip address which is assigned by dhcp, ( dhcp server is running on the same machine where iptables are installed, and machine is acting as a gateway ) Warm Regards Put this in your dhcpd.conf to record the IP address issue in an ipset: on commit { set ClientIP = binary-to-ascii(10, 8, ., leased-address); # set ClientMac = binary-to-ascii(16, 8, :, substring(hardware, 1, 6)); set ClientLeaseTime = binary-to-ascii(10, 32, , encode-int(lease-time, 32)); # set ClientLeaseTime = encode-int(lease-time, 32); # set ClientLeaseTime = 14400; execute ( /usr/sbin/ipset, -A, DHCPuser, concat (ClientIP, ,, ClientLeaseTime) ); } You'll probably have to change the execute command to work with the new syntax of ipset. Then use the functionality of iptables to use the ipset to allow/deny access. I use Shorewall for my firewall which makes it pretty easy. Bill -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: iptables and dhcp configuration
On 2012/08/08 16:01, Bill Shirley wrote: On 8/8/2012 5:56 AM, Jatin K wrote: Dear all, is there any way or method available to configure iptables to allow only dhcp server assigned ip , means if user manually sets his/her systems ip address then Linux gateway(FC16) should reject it . user must use the ip address which is assigned by dhcp, ( dhcp server is running on the same machine where iptables are installed, and machine is acting as a gateway ) Warm Regards Put this in your dhcpd.conf to record the IP address issue in an ipset: on commit { set ClientIP = binary-to-ascii(10, 8, ., leased-address); # set ClientMac = binary-to-ascii(16, 8, :, substring(hardware, 1, 6)); set ClientLeaseTime = binary-to-ascii(10, 32, , encode-int(lease-time, 32)); # set ClientLeaseTime = encode-int(lease-time, 32); # set ClientLeaseTime = 14400; execute ( /usr/sbin/ipset, -A, DHCPuser, concat (ClientIP, ,, ClientLeaseTime) ); } You'll probably have to change the execute command to work with the new syntax of ipset. Then use the functionality of iptables to use the ipset to allow/deny access. I use Shorewall for my firewall which makes it pretty easy. Bill What do you do about the fellow who simply hits the power switch or disconnects the network cable? {^_^} -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: iptables and dhcp configuration
On Wed, 2012-08-08 at 18:31 -0700, jdow wrote: What do you do about the fellow who simply hits the power switch or disconnects the network cable? Or moves out of wireless range? And then comes back again? As I said, it looked more like an authentication scheme was needed than just IP assigning(/controlling). -- [tim@localhost ~]$ uname -r 2.6.27.25-78.2.56.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: iptables and dhcp configuration
On 08/08/2012 05:22 PM, Tim wrote: On Wed, 2012-08-08 at 15:26 +0530, Jatin K wrote: is there any way or method available to configure iptables to allow only dhcp server assigned ip , means if user manually sets his/her systems ip address then Linux gateway(FC16) should reject it . user must use the ip address which is assigned by dhcp, ( dhcp server is running on the same machine where iptables are installed, and machine is acting as a gateway ) You could script something so that a computer added to the DHCP pool gets added to the iptables rules, but can you actually achieve what you want? Are you simply blocking the client's access to the DHCP server (gateway on it)? That's easy enough to block via an IP rule. Are you trying to block the client to anything, in which case your gateway must actually be *between* the client and other things (merely being on the same network isn't enough). Otherwise, the gateway can simply be bypassed. And if a user manually assigns themselves the same IP, coincidentally, should it be allowed or blocked? Do you just care about the address, or do you need a DHCP client acknowledge? It sounds more like you need some sort of authentication system, rather than just IP assignment. I want something call captive portal like functions but dont want to use the available ready to use software/solutions like[1], I want to build my own on fc 16 , to get the technical idea how it works and how it can be customized. [1] http://en.wikipedia.org/wiki/Captive_portal -- °v° /(_)\ ^ ^ Jatin Khatri RHCSA,RHCE,CCNA Registerd Linux user No #501175 www.linuxcounter.net No M$ -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: iptables and dhcp configuration
On 8/9/2012 12:49 AM, Tim wrote: On Wed, 2012-08-08 at 18:31 -0700, jdow wrote: What do you do about the fellow who simply hits the power switch or disconnects the network cable? Or moves out of wireless range? And then comes back again? As I said, it looked more like an authentication scheme was needed than just IP assigning(/controlling). It depends on what you want. If you want something that is bullet proof, then no, this is not for you. But if you have someone who is actively trying to bypass security then you have more than a network problem. If you want something that encourages people to use DHCP, then this could be an answer. If you don't acquire an IP address via DHCP, I don't pass you thru the firewall to teh interwebz. It's been my experience that when the ISC DHCP server sees a new MAC address, it doesn't re-use IP leases until it has cycled thru the pool. If you had understood the code you would have noticed that an IP address is removed from the ipset when the lease expires. This could be changed to work off the MAC address too. Also, most PCs ask to re-lease the last IP address they had. Bill -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: iptables and dhcp configuration
On 2012/08/08 22:05, Jatin K wrote: On 08/08/2012 05:22 PM, Tim wrote: On Wed, 2012-08-08 at 15:26 +0530, Jatin K wrote: is there any way or method available to configure iptables to allow only dhcp server assigned ip , means if user manually sets his/her systems ip address then Linux gateway(FC16) should reject it . user must use the ip address which is assigned by dhcp, ( dhcp server is running on the same machine where iptables are installed, and machine is acting as a gateway ) You could script something so that a computer added to the DHCP pool gets added to the iptables rules, but can you actually achieve what you want? Are you simply blocking the client's access to the DHCP server (gateway on it)? That's easy enough to block via an IP rule. Are you trying to block the client to anything, in which case your gateway must actually be *between* the client and other things (merely being on the same network isn't enough). Otherwise, the gateway can simply be bypassed. And if a user manually assigns themselves the same IP, coincidentally, should it be allowed or blocked? Do you just care about the address, or do you need a DHCP client acknowledge? It sounds more like you need some sort of authentication system, rather than just IP assignment. I want something call captive portal like functions but dont want to use the available ready to use software/solutions like[1], I want to build my own on fc 16 , to get the technical idea how it works and how it can be customized. [1] http://en.wikipedia.org/wiki/Captive_portal The MAC address is going to be your important feature for routing. MAC address spoofing is an issue. But it's not a deadly issue related to say corporate security. For iptables --mac-source is your magic. You'd have a login process to which all packets are sent until the MAC address is enabled with an iptables command using --mac-source. There'd be a login web page that would send the appropriate iptables exception command and later on after the signup period ends remove the iptables exception. This expiration could take place using a cron command. Now, go read up on iptables to figure out the steps you need and the exact commands, code it up, and play. {^_^} -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org