LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 12-13-2004, 11:38 PM   #1
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Question Enforcing DHCP Server Usage on a LAN


how can i enforce the use of a (linux) DHCP server on a LAN??

i want to make it so that the hosts don't have internet access until they get a dhcp lease...

like, even if they were to statically assign themselves the same IP address the dhcp server was gonna give them, they still wouldn't have access until they got a (proper) dhcp lease...

i have dhcpd, dnsmasq, and iptables running on the lan's linux 2.4 gateway...

any ideas would be greatly appreciated...
 
Old 12-14-2004, 07:00 AM   #2
nutthick
Member
 
Registered: Jun 2004
Distribution: Slack
Posts: 214

Rep: Reputation: 30
I'm not quite sure how you would do this in linux, but in the networking world at large you could lock your outbound router to only allow a certain set of IP addresses out. Another thing would be to only assign DHCP addresses to computers with authenticated MAC addresses. This would allow you to have control over who gets what IP address. You could also only allow certain Mac addresses to pass data through your router, but that would mean each NIC would have to register with you to gain outbound access.

As I said, not sure if linux can do any of this, but might point you onto something else.

HTH
 
Old 12-14-2004, 09:02 AM   #3
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
In theory, you can scan your dhcp.leases file for valid entries and MAC addresses, then by script insert them in a specific FORWARD chain..

eg
iptables -N mac_ok
iptables -A FORWARD -i ethx -j mac_ok

iptables -I mac_ok -m mac --mac-source 00:00:00:00:00:01 -j RETURN

iptables -A mac-ok -j REJECT --reject-with icmp-net-prohibited

The only rules to be saved in the startup script would be the permanent MAC addresses, the first 2 rules and the last rule.
The Insert rule comes from the dhcp script..

The key element is scanning the leases file after a new lease is given, and after a lease expires.
Using the patch-o-matic time patch, you could also add a rule to expire the MAC address...

Two documents...
http://iptables-tutorial.frozentux.n...-tutorial.html
http://www.netfilter.org/documentati...q-1.html#ss1.5
 
Old 12-15-2004, 12:39 AM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally posted by nutthick
I'm not quite sure how you would do this in linux, but in the networking world at large you could lock your outbound router to only allow a certain set of IP addresses out. Another thing would be to only assign DHCP addresses to computers with authenticated MAC addresses. This would allow you to have control over who gets what IP address. You could also only allow certain Mac addresses to pass data through your router, but that would mean each NIC would have to register with you to gain outbound access.

As I said, not sure if linux can do any of this, but might point you onto something else.
thanks for the reply...

yup, gnu/linux does all those things... i'm using netfilter to limit the routing to certain mac and ip addresses, and dhcpd gives-out leases only to the mac addresses in it's conf... but none of that prevents a host from not using the dhcp server and instead giving itself it's ip address statically and being able to connect to the internet...

i think what i'm looking for is a system that dynamically updates my iptables rules depending on the content of my /var/state/dhcp/dhcp.leases file...

Last edited by win32sux; 12-15-2004 at 12:43 AM.
 
Old 12-15-2004, 12:40 AM   #5
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally posted by peter_robb
In theory, you can scan your dhcp.leases file for valid entries and MAC addresses, then by script insert them in a specific FORWARD chain..
thanks so much for the input, i really appreciate it...

this sounds exactly like what i want to do...

Quote:
iptables -N mac_ok
iptables -A FORWARD -i ethx -j mac_ok

iptables -I mac_ok -m mac --mac-source 00:00:00:00:00:01 -j RETURN

iptables -A mac-ok -j REJECT --reject-with icmp-net-prohibited

The only rules to be saved in the startup script would be the permanent MAC addresses, the first 2 rules and the last rule.
The Insert rule comes from the dhcp script..

The key element is scanning the leases file after a new lease is given, and after a lease expires.
okay, let me see if i understand this correctly before i attempt to create the script...

i create a chain called "mac_ok" and call it at the forefront of my FORWARD chain... mac_ok's last rule is a REJECT or a DROP... then i use a script to scan (using grep, etc.) my dhcp.leases file for my lan's mac addresses, and if the mac address is found in the dhcp.leases file, then a RETURN rule is inserted before the DROP/REJECT rule so the packets will hence keep traveling through the FORWARD chain as usual... if the script doesn't find the mac address in the dhcpd.leases file, then it's rule in the mac_ok chain is deleted using "iptables -D"...

does this sound about right to you??

also, would you use cron to run this script every so often or do you suggest some other way??

i'm not sure how to make it so the script is run every time a lease is given or expired...
 
Old 12-15-2004, 05:04 AM   #6
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
Yup.. well understood..

The script would need to be run at the end of the dhcp lease issue, which means dhcpd would need to do it.. otherwise the time lag would be too great before getting access..

Not all dhcp servers can do a 'post-lease' action, so a little bit of searching will be required..
 
Old 12-16-2004, 09:25 AM   #7
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally posted by peter_robb
Yup.. well understood..

The script would need to be run at the end of the dhcp lease issue, which means dhcpd would need to do it.. otherwise the time lag would be too great before getting access..

Not all dhcp servers can do a 'post-lease' action, so a little bit of searching will be required..
cool... thanks!!

i've been googling about running a script when dhcp gives a lease or expires one but i haven't had much luck...

it's a tough google... lol...

in the meantime, i wanted to get your opinion on a different approach:

what if the script monitors the dhcpd.leases file for changes?? if it sees the file changed, it does it's thing, etc...

i was thinking maybe it could run the dhcpd.leases file through an md5sum every 5 seconds to check, for example...

does that sound like a good idea to you??

i think it could work if the only thing that happens when a lease expires is that it's entry in dhcpd.leases is removed, but i'm not sure if that's the way it is...
 
Old 12-17-2004, 04:24 AM   #8
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
There are some programs which do just that...
monitor the dhcp.leases file..
eg dnsmasq

Maybe you can see how it is done...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to determine cpu usage, memory usage, I/O usage by a particular user logged on li rags2k Programming 4 08-21-2004 04:45 AM
DHCP Server for internal LAN and DMz NVETHIS Linux - Networking 1 07-11-2003 10:16 AM
XP Pro Build 2600/sp1 v.1105 DHCP Client to Redhat 8.0 DHCP Server - Problems atomant Linux - Networking 5 06-28-2003 11:24 AM
How do you make the ip masquerade server/dhcp server broadcast dns to lan cmisip Linux - Networking 6 01-25-2003 10:43 PM
DHCP server on two LAN cards V.krishna kumar Linux - Networking 3 10-24-2002 12:57 PM


All times are GMT -5. The time now is 08:43 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration