Re: iptables and dhcp configuration
On 08/08/2012 12:56 PM, Jatin K wrote: is there any way or method available to configure iptables to allow only dhcp server assigned ip To acheive this * I setup a (CSV) file listing IP ans MAC * I write a script building the DHCP configuration file from it * I write an iptables script to forward only (IP, MAC) tuple, dropping whetever alse * I only use the CSV file when adding a new host to the LAN ** I flush+rebuild iptables rules restart DHCPd when I add a new host Drawback: - On the LAN, one can always steal an IP address - You need to control duplicate when LAN grows (mine is a /16) -- RMA. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
iptables and dhcp configuration
Dear all, is there any way or method available to configure iptables to allow only dhcp server assigned ip , means if user manually sets his/her systems ip address then Linux gateway(FC16) should reject it . user must use the ip address which is assigned by dhcp, ( dhcp server is running on the same machine where iptables are installed, and machine is acting as a gateway ) Warm Regards -- °v° /(_)\ ^ ^ Jatin Khatri RHCSA,RHCE,CCNA Registerd Linux user No #501175 www.linuxcounter.net No M$ -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: iptables and dhcp configuration
On Wed, 2012-08-08 at 15:26 +0530, Jatin K wrote: is there any way or method available to configure iptables to allow only dhcp server assigned ip , means if user manually sets his/her systems ip address then Linux gateway(FC16) should reject it . user must use the ip address which is assigned by dhcp, ( dhcp server is running on the same machine where iptables are installed, and machine is acting as a gateway ) You could script something so that a computer added to the DHCP pool gets added to the iptables rules, but can you actually achieve what you want? Are you simply blocking the client's access to the DHCP server (gateway on it)? That's easy enough to block via an IP rule. Are you trying to block the client to anything, in which case your gateway must actually be *between* the client and other things (merely being on the same network isn't enough). Otherwise, the gateway can simply be bypassed. And if a user manually assigns themselves the same IP, coincidentally, should it be allowed or blocked? Do you just care about the address, or do you need a DHCP client acknowledge? It sounds more like you need some sort of authentication system, rather than just IP assignment. -- [tim@localhost ~]$ uname -r 2.6.27.25-78.2.56.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: iptables and dhcp configuration
On 2012/08/08 04:52, Tim wrote:
On Wed, 2012-08-08 at 15:26 +0530, Jatin K wrote:
is there any way or method available to configure iptables to allow only
dhcp server assigned ip , means if user manually sets his/her systems ip
address then Linux gateway(FC16) should reject it .
user must use the ip address which is assigned by dhcp, ( dhcp server is
running on the same machine where iptables are installed, and machine is
acting as a gateway )
You could script something so that a computer added to the DHCP pool
gets added to the iptables rules, but can you actually achieve what you
want?
Are you simply blocking the client's access to the DHCP server (gateway
on it)? That's easy enough to block via an IP rule.
Are you trying to block the client to anything, in which case your
gateway must actually be *between* the client and other things (merely
being on the same network isn't enough). Otherwise, the gateway can
simply be bypassed.
And if a user manually assigns themselves the same IP, coincidentally,
should it be allowed or blocked? Do you just care about the address, or
do you need a DHCP client acknowledge?
It sounds more like you need some sort of authentication system, rather
than just IP assignment.
Such a script has one significant problem.
Let's go over what it must do. First the script would read the log file
to determine DHCP activity. When it detects a newly assigned address it
must allow it in iptables. When it discovers an address being relinquished
it must disallow that address in iptables.
That sounds fairly simple. What could possibly go wrong? Well, for one
try pulling the Ethernet cable on a machine before you shut it down. There
is no message for that machine relinquishing its address. So the address
remains open. That's just one mechanism for failure of log monitoring
techniques or any other technique that relies only on what DHCPD knows.
So can we play smarter? I'd try the basic DHCP monitoring, Then I'd find
or develop a tool for periodically (on a seconds basis) check to see if
all the dhcp assigned boxes on the local net are still there. As soon as
they are registered as not there a flag is set with the former MAC and
IP addresses associated with the flag. If it remains disconnected for
more than five minutes inform DHCPD, somehow, to forcibly flush the
address that is no longer being used.
That is generally going to be safe from a set of naive users. If you have
ONE smart user who diagnoses what you are doing he can wait for a machine
to go down, using the same technique you used to detect it, and jump in
almost immediately spoofing that machine's MAC address. DHCP never learns
that the machine is down. And you still have the system penetrated.
Methinks what I'd do is put in two distinct network segments. One is open
to the world. The other is open to the too easily hackable wireless
router. Both get DHCP addresses from two different DHCP servers. The
access from machine to machine would require an ssh login. As long as the
ssh login remains the iptables configuration on the gateway machine
would open up to the internal network using two way IP address translation
to a distinct address per box. As soon as the ssh connection is shown to
be down, the door slams shut. The ssh connection could simply send a small
handshake packet periodically to perform this test.
Methinks I'll look into implementing that latter trick. I sort of like it.
And I have three different DHCP servers around here to play with in this
regard. All I need is a very serous round-tu-it.
{^_^}
{^_^}
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
Re: iptables and dhcp configuration
On 8/8/2012 5:56 AM, Jatin K wrote:
Dear all,
is there any way or method available to configure iptables to allow
only dhcp server assigned ip , means if user manually sets his/her
systems ip address then Linux gateway(FC16) should reject it .
user must use the ip address which is assigned by dhcp, ( dhcp server
is running on the same machine where iptables are installed, and
machine is acting as a gateway )
Warm Regards
Put this in your dhcpd.conf to record the IP address issue in an ipset:
on commit {
set ClientIP = binary-to-ascii(10, 8, ., leased-address);
# set ClientMac = binary-to-ascii(16, 8, :,
substring(hardware, 1, 6));
set ClientLeaseTime = binary-to-ascii(10, 32, ,
encode-int(lease-time, 32));
# set ClientLeaseTime = encode-int(lease-time, 32);
# set ClientLeaseTime = 14400;
execute (
/usr/sbin/ipset,
-A, DHCPuser,
concat (ClientIP, ,, ClientLeaseTime)
);
}
You'll probably have to change the execute command to work with the new
syntax of ipset.
Then use the functionality of iptables to use the ipset to allow/deny
access. I use Shorewall for my firewall which makes it pretty easy.
Bill
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
Re: iptables and dhcp configuration
On 2012/08/08 16:01, Bill Shirley wrote:
On 8/8/2012 5:56 AM, Jatin K wrote:
Dear all,
is there any way or method available to configure iptables to allow only dhcp
server assigned ip , means if user manually sets his/her systems ip address
then Linux gateway(FC16) should reject it .
user must use the ip address which is assigned by dhcp, ( dhcp server is
running on the same machine where iptables are installed, and machine is
acting as a gateway )
Warm Regards
Put this in your dhcpd.conf to record the IP address issue in an ipset:
on commit {
set ClientIP = binary-to-ascii(10, 8, ., leased-address);
# set ClientMac = binary-to-ascii(16, 8, :, substring(hardware,
1, 6));
set ClientLeaseTime = binary-to-ascii(10, 32, ,
encode-int(lease-time, 32));
# set ClientLeaseTime = encode-int(lease-time, 32);
# set ClientLeaseTime = 14400;
execute (
/usr/sbin/ipset,
-A, DHCPuser,
concat (ClientIP, ,, ClientLeaseTime)
);
}
You'll probably have to change the execute command to work with the new syntax
of ipset.
Then use the functionality of iptables to use the ipset to allow/deny access. I
use Shorewall for my firewall which makes it pretty easy.
Bill
What do you do about the fellow who simply hits the power switch or
disconnects the network cable?
{^_^}
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
Re: iptables and dhcp configuration
On Wed, 2012-08-08 at 18:31 -0700, jdow wrote: What do you do about the fellow who simply hits the power switch or disconnects the network cable? Or moves out of wireless range? And then comes back again? As I said, it looked more like an authentication scheme was needed than just IP assigning(/controlling). -- [tim@localhost ~]$ uname -r 2.6.27.25-78.2.56.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: iptables and dhcp configuration
On 08/08/2012 05:22 PM, Tim wrote: On Wed, 2012-08-08 at 15:26 +0530, Jatin K wrote: is there any way or method available to configure iptables to allow only dhcp server assigned ip , means if user manually sets his/her systems ip address then Linux gateway(FC16) should reject it . user must use the ip address which is assigned by dhcp, ( dhcp server is running on the same machine where iptables are installed, and machine is acting as a gateway ) You could script something so that a computer added to the DHCP pool gets added to the iptables rules, but can you actually achieve what you want? Are you simply blocking the client's access to the DHCP server (gateway on it)? That's easy enough to block via an IP rule. Are you trying to block the client to anything, in which case your gateway must actually be *between* the client and other things (merely being on the same network isn't enough). Otherwise, the gateway can simply be bypassed. And if a user manually assigns themselves the same IP, coincidentally, should it be allowed or blocked? Do you just care about the address, or do you need a DHCP client acknowledge? It sounds more like you need some sort of authentication system, rather than just IP assignment. I want something call captive portal like functions but dont want to use the available ready to use software/solutions like[1], I want to build my own on fc 16 , to get the technical idea how it works and how it can be customized. [1] http://en.wikipedia.org/wiki/Captive_portal -- °v° /(_)\ ^ ^ Jatin Khatri RHCSA,RHCE,CCNA Registerd Linux user No #501175 www.linuxcounter.net No M$ -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: iptables and dhcp configuration
On 8/9/2012 12:49 AM, Tim wrote: On Wed, 2012-08-08 at 18:31 -0700, jdow wrote: What do you do about the fellow who simply hits the power switch or disconnects the network cable? Or moves out of wireless range? And then comes back again? As I said, it looked more like an authentication scheme was needed than just IP assigning(/controlling). It depends on what you want. If you want something that is bullet proof, then no, this is not for you. But if you have someone who is actively trying to bypass security then you have more than a network problem. If you want something that encourages people to use DHCP, then this could be an answer. If you don't acquire an IP address via DHCP, I don't pass you thru the firewall to teh interwebz. It's been my experience that when the ISC DHCP server sees a new MAC address, it doesn't re-use IP leases until it has cycled thru the pool. If you had understood the code you would have noticed that an IP address is removed from the ipset when the lease expires. This could be changed to work off the MAC address too. Also, most PCs ask to re-lease the last IP address they had. Bill -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: iptables and dhcp configuration
On 2012/08/08 22:05, Jatin K wrote:
On 08/08/2012 05:22 PM, Tim wrote:
On Wed, 2012-08-08 at 15:26 +0530, Jatin K wrote:
is there any way or method available to configure iptables to allow only
dhcp server assigned ip , means if user manually sets his/her systems ip
address then Linux gateway(FC16) should reject it .
user must use the ip address which is assigned by dhcp, ( dhcp server is
running on the same machine where iptables are installed, and machine is
acting as a gateway )
You could script something so that a computer added to the DHCP pool
gets added to the iptables rules, but can you actually achieve what you
want?
Are you simply blocking the client's access to the DHCP server (gateway
on it)? That's easy enough to block via an IP rule.
Are you trying to block the client to anything, in which case your
gateway must actually be *between* the client and other things (merely
being on the same network isn't enough). Otherwise, the gateway can
simply be bypassed.
And if a user manually assigns themselves the same IP, coincidentally,
should it be allowed or blocked? Do you just care about the address, or
do you need a DHCP client acknowledge?
It sounds more like you need some sort of authentication system, rather
than just IP assignment.
I want something call captive portal like functions but dont want to use the
available ready to use software/solutions like[1], I want to build my own on fc
16 , to get the technical idea how it works and how it can be customized.
[1] http://en.wikipedia.org/wiki/Captive_portal
The MAC address is going to be your important feature for routing. MAC
address spoofing is an issue. But it's not a deadly issue related to say
corporate security.
For iptables --mac-source is your magic. You'd have a login process to
which all packets are sent until the MAC address is enabled with an
iptables command using --mac-source. There'd be a login web page that
would send the appropriate iptables exception command and later on after
the signup period ends remove the iptables exception. This expiration
could take place using a cron command.
Now, go read up on iptables to figure out the steps you need and the
exact commands, code it up, and play.
{^_^}
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
