LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 07-11-2007, 04:53 PM   #1
mson77
LQ Newbie
 
Registered: Jul 2007
Location: Brazil
Distribution: Fedora 7 - Pentium 4 HT 3.0GHz FSB800MHz, 2GByte RAM, text-mode linux
Posts: 10

Rep: Reputation: 0
Can I use proxy-arp and NAT to route an "alien" computer to the Internet?


I want to use a Linux box to bridge 2 etherogenous networks.

Network 1 (eth0): The Internet
Network 2 (eth1): An Ethernet segment where everybody could plug his computer. Don't even think of subnets...

I want to allow computers connected to Network 2 to initiate requests to the Internet (browsing...).

Of course, I can't figure out what is the IP address of a computer plugged on Network 2. If that computer is configured to use DHCP, I can provide it with all the parameters to route to the Network 1. If that computer uses a static IP address, I imagine to use proxy-arp to answer to that computer the MAC address of the Linux box, as its gateway. Then, I could use NAT to let him access the Internet.

Can I consider such a scenario? What is needed to accomplish this?
=====================================================
I have already set:
echo "1" > /proc/sys/net/ipv4/conf/eth1/proxy_arp
arp -i eth1 -s 172.16.14.1 00:E0:4C:B0:1B:A5 pub
where:
IP_eth1=172.16.14.1
MAC_eth1=00:E0:4C:B0:1B:A5
=====================================================

Thanks,


mson77

Last edited by mson77; 07-12-2007 at 10:54 AM.
 
Old 07-11-2007, 07:44 PM   #2
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 197Reputation: 197
You want to allow a guest host to be able dictate to your network what IP it is to be known as? Do not do this, it messes with any sensible security. Require those computers to use DHCP when they want to use your network... their users will just have to make do. (Most computers can store information needed to use a variety of networks.)
 
Old 07-11-2007, 09:12 PM   #3
mson77
LQ Newbie
 
Registered: Jul 2007
Location: Brazil
Distribution: Fedora 7 - Pentium 4 HT 3.0GHz FSB800MHz, 2GByte RAM, text-mode linux
Posts: 10

Original Poster
Rep: Reputation: 0
Hello Simon Bridge,

Thank you for your attention.
I manage a LAN. Always I have guests connecting into this LAN. The guest's notebook may come with many different kinds of network configurations and I do not want to setup anything on these guest's notebooks and I do not have much spare time for.

I tested a non-free hotspot solution called MikroTik and this solution called RouterOS was perfect. As you can read at the link provided... "HotSpot - HotSpot Gateway with RADIUS authentication and accounting; true Plug-and-Play access for network users; data rate limitation; differentiated firewall; traffic quota; real-time status information; walled-garden; customized HTML login pages; iPass support; SSL secure authentication; advertisement support"

But my company wants me an open source solution.
Then I started to study ARP/ArpProxy... and I guess that ProxyARP may help me a bit. I really do not know how but I guess it is possible to implement with some open source solution.

Well Mr Simon Bridge... this LAN is used only for guests to access internet. Just a free offered service to the guests.

Thank you,

mson77

Last edited by mson77; 07-12-2007 at 10:55 AM.
 
Old 07-12-2007, 07:08 AM   #4
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 197Reputation: 197
Quote:
I manage a LAN. Always I have guests connecting into this LAN. The guest's notebook may come with many different kinds of network configurations and I do not want to setup anything on these guest's notebooks and I do not have much spare time for.
So do I... and many other people. You post a notice telling the users how to access the LAN.

Fine that you found a solution you like and good you posted the solution here. But beware... these things are murder to secure.
 
Old 07-12-2007, 10:30 AM   #5
mson77
LQ Newbie
 
Registered: Jul 2007
Location: Brazil
Distribution: Fedora 7 - Pentium 4 HT 3.0GHz FSB800MHz, 2GByte RAM, text-mode linux
Posts: 10

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Simon Bridge
So do I... and many other people. You post a notice telling the users how to access the LAN.

Fine that you found a solution you like and good you posted the solution here. But beware... these things are murder to secure.

Yes. I found a solution but for test purpose only (demo/trial/non-GNU).
I tested this solution to check that this is feasible... and it is.
The question now is... how to implement this using open-source way?

Any suggestion?

Thanks,


mson77
 
Old 07-12-2007, 10:50 AM   #6
mson77
LQ Newbie
 
Registered: Jul 2007
Location: Brazil
Distribution: Fedora 7 - Pentium 4 HT 3.0GHz FSB800MHz, 2GByte RAM, text-mode linux
Posts: 10

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Simon Bridge
But beware... these things are murder to secure.
Mr Bridge... please, what kind of unsecurity may this solution provide?

It only provides access to the internet for the guests with the feature "plug&play network access". I can not understand how it can compromise security.

The possible holes could be:
  • 1) one guest attacks another guest?
  • 2) one guest attacks the internet?
  • 3) one guest attacks the internal lan? (dropping down the internal lan)

But the 3 possibilities above may exist even in DHCP only based solution.

I understand that internal cabled LAN may be dropped down easily by any guest.


mson77

PS: This is a cabled LAN. Not wireless.

Last edited by mson77; 07-12-2007 at 10:57 AM.
 
Old 07-13-2007, 01:05 AM   #7
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 197Reputation: 197
You missed the increased exposure to spoofing and sniffing from the internet. This because of the wide range of network IP's available to your guest hosts.

I'm not saying you cannot protect yourself, only that it is harder. In general, the more convenient it is, the less secure it is.

People who use laptops are used to changing network settings for where they are.
 
Old 07-13-2007, 01:18 AM   #8
mson77
LQ Newbie
 
Registered: Jul 2007
Location: Brazil
Distribution: Fedora 7 - Pentium 4 HT 3.0GHz FSB800MHz, 2GByte RAM, text-mode linux
Posts: 10

Original Poster
Rep: Reputation: 0
Hi...

I am now overviewing the following:

ebtables;
parprouted;

I guess that I need:
1) be able to "capture" all possible default gateways from the guests (maybe using proxyarp);
2) snat 1:1 to my network addresses;
3) using my network addresses route the packets to the internet;

But... I am...trying...
... and trying... and googling... and no result.

Very upset... about my performance. Sorry.


mson77
 
Old 07-13-2007, 01:24 AM   #9
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
Quote:
with the feature "plug&play network access".
Is that a euphanism for uPnP or DHCP?
The former will allow a host to open any ports on the firewall they want to without your control. It's the first thing to disable on a consumer router.

The latter was already suggested and will be used by anyone with a home NAT router or a cable modem. If a guest has a static address on their laptop, they will also have the wrong gateway and nameserver IPs as well.
 
Old 07-13-2007, 01:39 AM   #10
mson77
LQ Newbie
 
Registered: Jul 2007
Location: Brazil
Distribution: Fedora 7 - Pentium 4 HT 3.0GHz FSB800MHz, 2GByte RAM, text-mode linux
Posts: 10

Original Poster
Rep: Reputation: 0
Hi...

  • "plug&play network access"

==> it means:
a) if the guest has its dhcp client enabled: perfect. As usual and works;
b) if the guest has static network configuration and these ip addresses (ip/mask/gw/dns) are completely different from those provided by the local lan dhcp server: perfect. It is amazing but the guest accesses the internet perfectly.

summary:

It does not matter the ip values in the guest's laptop. This router allows the guest browse the internet. The exception is: The browser must connect with no-proxy, i.e, directly mode must be set.

I am wanting to implement similar solution (but free/opensource) as this mikrotik routerOS(must pay).


mson77

Last edited by mson77; 07-13-2007 at 01:42 AM.
 
Old 07-15-2007, 12:24 AM   #11
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
You could look at a linux router oriented distribution. Also look for Linux brouter howto's.

It sounds like your device will need to take the MAC address of the guests computer, and dynamically change the NAT rules and the routing table based on the interface's IP setting.

Sorry for being so stubborn, but anyone who can configure their computer for static addressing will know how to switch to dhcp. You will see far more problems when Window's XP default's to ieee802.3 Authentication on the interface, and that is something that "Plug & Play networking" can't handle for them.

Last edited by jschiwal; 07-15-2007 at 12:41 AM.
 
Old 07-15-2007, 01:26 PM   #12
mson77
LQ Newbie
 
Registered: Jul 2007
Location: Brazil
Distribution: Fedora 7 - Pentium 4 HT 3.0GHz FSB800MHz, 2GByte RAM, text-mode linux
Posts: 10

Original Poster
Rep: Reputation: 0
Hi jschiwal

First thank you for your kind reply.

This project at sourceforge <ippnp> looks me like perfect... but no files to download.

I will follow your advice... looking for brouter.

As a reference of what I am looking for... besides mikrotik solution (read at #Getting Address item)... here is another one called nomadix and read about DAT (Dynamic Address Translation).

Thank you,


mson77

Last edited by mson77; 07-15-2007 at 01:53 PM.
 
Old 07-17-2007, 02:18 AM   #13
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
There are two things I wonder about from your supplied links.

A) What if two users use the same static IP address.
B) What about the user who has their wireless set to channel 10 for example, but your wireless AP runs on channel 11.

Here is a Wiki on kernel ebt configuration options.
http://howto.wikia.com/wiki/Howto_co...idge/netfilter

Here is a Wiki on Linux Wireless APs. This one involves ebt rules but not to the extent you are thinking of doing.
http://gentoo-wiki.com/HOWTO_Buildin...s_Access_Point

This post got me thinking. Networks in conventions and hotels are notorious for being insecure. Most wired networks in motels still use hubs instead of switches for example. IMHO better security may be a better selling point than PnP networking. Using DHCP should be easy enough for 99.9% of users. Being protected against snooping by other guests, or war drivers would be more important to more and more security minded users. Simple and secure are normally inversely proportional, but ironically a radius setup is easier to use for the end user than using pre-shared keys. Every user is assigned a unique key. But getting to that point would require the user to change their authentication settings.

Last edited by jschiwal; 07-17-2007 at 03:16 AM.
 
Old 07-17-2007, 11:38 AM   #14
mson77
LQ Newbie
 
Registered: Jul 2007
Location: Brazil
Distribution: Fedora 7 - Pentium 4 HT 3.0GHz FSB800MHz, 2GByte RAM, text-mode linux
Posts: 10

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by jschiwal
There are two things I wonder about from your supplied links.

A) What if two users use the same static IP address.
B) What about the user who has their wireless set to channel 10 for example, but your wireless AP runs on channel 11.

Hello jschiwal,

May we divide this topic into 02 arenas?
a) Feasibility;
b) Security;
===================================================================================
Well, using few words... may we start with feasibility?
I am sure that this solution provides a lot of benefits in terms of flexibity. But let me say that this realm is limited on the local ethernet segment where usual "arp" flows.

Regarding security issue, this is an arena where we can talk about static data security, flowing data security, physical laptop security (against thieves)... but focusing on data being exchanged we have vpn as usual solution for those needed.
===================================================================================

Regarding your question above I understand that the very basic information on a local ethernet network is driven by MAC address instead of IP address... looking for instance at OSI level.
So if 02 stations have the same IP address... I understand that these 2 guys are different if we "see" the pair (MAC,IPaddress)... assuming that MAC addresses are always different each other.

So, the next step is to NAT one-to-one these clients from (MAC,IPaddress) to some NATed address using a virtual tunnel interface. This virtual tunnel interface is some virtual middle-point used just to "concentrate" the packets and to associate an IP address (the NATed 1:1 addresses). So at this virtual interface we would have the pair (MAC,IPaddress) translated to (NATed address). And these NATed address could be from some network_number/mask that network admin may define.

Then at this virtual interface we would have packets with NATed addresses that can be routed and forwarded to eth0 (internet interface) using iptables rules to implement firewalling rules.

Well... what I need now is a routine/code that works as function like: f(MAC,IPaddress)=NATed address... and a virtual interface.
This is what I am looking for now.
====================================================================================

Also we have to have in mind that bridge is like a "physical cable"... it does not matter about IP addresses. So I understand that bridge-utils and ebtables can not help me. Please correct me I am wrong.

Thank you,


mson77
 
Old 10-19-2009, 11:01 PM   #15
xiaoc
LQ Newbie
 
Registered: Oct 2009
Posts: 1

Rep: Reputation: 0
hi mson,

did you solve your problem? if not, you may email to me, bcos your tips of proxy_arp, i able to solve my problem same like you.

rgds,
xiaoc
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Dbeian etch "apt-get install alien" failes , bug? android6011 Debian 5 08-04-2006 03:38 PM
Lost DHCP Lease when putting computer in "Standby" mode for a "long" time pnellesen Linux - Networking 1 01-07-2005 12:44 AM
I configure NAT and use "services ..." to save it but when I reboot there is no nat bruack Linux - Software 4 09-01-2004 03:38 AM
Route to subnet exists but I get "Network unreachable" when adding default route fciuffani Linux - Networking 4 08-18-2004 03:11 PM
How can I "see" a computer inside my LAN from outside - i.e. from the internet? Thoddy Linux - Networking 6 01-28-2004 09:19 AM


All times are GMT -5. The time now is 11:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration