LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Enforcing DHCP Server Usage on a LAN (http://www.linuxquestions.org/questions/linux-networking-3/enforcing-dhcp-server-usage-on-a-lan-266151/)

win32sux 12-13-2004 11:38 PM

Enforcing DHCP Server Usage on a LAN
 
how can i enforce the use of a (linux) DHCP server on a LAN??

i want to make it so that the hosts don't have internet access until they get a dhcp lease...

like, even if they were to statically assign themselves the same IP address the dhcp server was gonna give them, they still wouldn't have access until they got a (proper) dhcp lease...

i have dhcpd, dnsmasq, and iptables running on the lan's linux 2.4 gateway...

any ideas would be greatly appreciated...

nutthick 12-14-2004 07:00 AM

I'm not quite sure how you would do this in linux, but in the networking world at large you could lock your outbound router to only allow a certain set of IP addresses out. Another thing would be to only assign DHCP addresses to computers with authenticated MAC addresses. This would allow you to have control over who gets what IP address. You could also only allow certain Mac addresses to pass data through your router, but that would mean each NIC would have to register with you to gain outbound access.

As I said, not sure if linux can do any of this, but might point you onto something else.

HTH :)

peter_robb 12-14-2004 09:02 AM

In theory, you can scan your dhcp.leases file for valid entries and MAC addresses, then by script insert them in a specific FORWARD chain..

eg
iptables -N mac_ok
iptables -A FORWARD -i ethx -j mac_ok

iptables -I mac_ok -m mac --mac-source 00:00:00:00:00:01 -j RETURN

iptables -A mac-ok -j REJECT --reject-with icmp-net-prohibited

The only rules to be saved in the startup script would be the permanent MAC addresses, the first 2 rules and the last rule.
The Insert rule comes from the dhcp script..

The key element is scanning the leases file after a new lease is given, and after a lease expires.
Using the patch-o-matic time patch, you could also add a rule to expire the MAC address...

Two documents...
http://iptables-tutorial.frozentux.n...-tutorial.html
http://www.netfilter.org/documentati...q-1.html#ss1.5

win32sux 12-15-2004 12:39 AM

Quote:

Originally posted by nutthick
I'm not quite sure how you would do this in linux, but in the networking world at large you could lock your outbound router to only allow a certain set of IP addresses out. Another thing would be to only assign DHCP addresses to computers with authenticated MAC addresses. This would allow you to have control over who gets what IP address. You could also only allow certain Mac addresses to pass data through your router, but that would mean each NIC would have to register with you to gain outbound access.

As I said, not sure if linux can do any of this, but might point you onto something else.

thanks for the reply...

yup, gnu/linux does all those things... i'm using netfilter to limit the routing to certain mac and ip addresses, and dhcpd gives-out leases only to the mac addresses in it's conf... but none of that prevents a host from not using the dhcp server and instead giving itself it's ip address statically and being able to connect to the internet...

i think what i'm looking for is a system that dynamically updates my iptables rules depending on the content of my /var/state/dhcp/dhcp.leases file...

win32sux 12-15-2004 12:40 AM

Quote:

Originally posted by peter_robb
In theory, you can scan your dhcp.leases file for valid entries and MAC addresses, then by script insert them in a specific FORWARD chain..
thanks so much for the input, i really appreciate it...

this sounds exactly like what i want to do...

Quote:

iptables -N mac_ok
iptables -A FORWARD -i ethx -j mac_ok

iptables -I mac_ok -m mac --mac-source 00:00:00:00:00:01 -j RETURN

iptables -A mac-ok -j REJECT --reject-with icmp-net-prohibited

The only rules to be saved in the startup script would be the permanent MAC addresses, the first 2 rules and the last rule.
The Insert rule comes from the dhcp script..

The key element is scanning the leases file after a new lease is given, and after a lease expires.

okay, let me see if i understand this correctly before i attempt to create the script...

i create a chain called "mac_ok" and call it at the forefront of my FORWARD chain... mac_ok's last rule is a REJECT or a DROP... then i use a script to scan (using grep, etc.) my dhcp.leases file for my lan's mac addresses, and if the mac address is found in the dhcp.leases file, then a RETURN rule is inserted before the DROP/REJECT rule so the packets will hence keep traveling through the FORWARD chain as usual... if the script doesn't find the mac address in the dhcpd.leases file, then it's rule in the mac_ok chain is deleted using "iptables -D"...

does this sound about right to you??

also, would you use cron to run this script every so often or do you suggest some other way??

i'm not sure how to make it so the script is run every time a lease is given or expired...

peter_robb 12-15-2004 05:04 AM

Yup.. well understood..

The script would need to be run at the end of the dhcp lease issue, which means dhcpd would need to do it.. otherwise the time lag would be too great before getting access..

Not all dhcp servers can do a 'post-lease' action, so a little bit of searching will be required..

win32sux 12-16-2004 09:25 AM

Quote:

Originally posted by peter_robb
Yup.. well understood..

The script would need to be run at the end of the dhcp lease issue, which means dhcpd would need to do it.. otherwise the time lag would be too great before getting access..

Not all dhcp servers can do a 'post-lease' action, so a little bit of searching will be required..

cool... thanks!!

i've been googling about running a script when dhcp gives a lease or expires one but i haven't had much luck...

it's a tough google... lol...

in the meantime, i wanted to get your opinion on a different approach:

what if the script monitors the dhcpd.leases file for changes?? if it sees the file changed, it does it's thing, etc...

i was thinking maybe it could run the dhcpd.leases file through an md5sum every 5 seconds to check, for example...

does that sound like a good idea to you??

i think it could work if the only thing that happens when a lease expires is that it's entry in dhcpd.leases is removed, but i'm not sure if that's the way it is...

peter_robb 12-17-2004 04:24 AM

There are some programs which do just that...
monitor the dhcp.leases file..
eg dnsmasq

Maybe you can see how it is done...


All times are GMT -5. The time now is 06:24 AM.