Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
how can i enforce the use of a (linux) DHCP server on a LAN??
i want to make it so that the hosts don't have internet access until they get a dhcp lease...
like, even if they were to statically assign themselves the same IP address the dhcp server was gonna give them, they still wouldn't have access until they got a (proper) dhcp lease...
i have dhcpd, dnsmasq, and iptables running on the lan's linux 2.4 gateway...
I'm not quite sure how you would do this in linux, but in the networking world at large you could lock your outbound router to only allow a certain set of IP addresses out. Another thing would be to only assign DHCP addresses to computers with authenticated MAC addresses. This would allow you to have control over who gets what IP address. You could also only allow certain Mac addresses to pass data through your router, but that would mean each NIC would have to register with you to gain outbound access.
As I said, not sure if linux can do any of this, but might point you onto something else.
iptables -I mac_ok -m mac --mac-source 00:00:00:00:00:01 -j RETURN
iptables -A mac-ok -j REJECT --reject-with icmp-net-prohibited
The only rules to be saved in the startup script would be the permanent MAC addresses, the first 2 rules and the last rule.
The Insert rule comes from the dhcp script..
The key element is scanning the leases file after a new lease is given, and after a lease expires.
Using the patch-o-matic time patch, you could also add a rule to expire the MAC address...
Originally posted by nutthick I'm not quite sure how you would do this in linux, but in the networking world at large you could lock your outbound router to only allow a certain set of IP addresses out. Another thing would be to only assign DHCP addresses to computers with authenticated MAC addresses. This would allow you to have control over who gets what IP address. You could also only allow certain Mac addresses to pass data through your router, but that would mean each NIC would have to register with you to gain outbound access.
As I said, not sure if linux can do any of this, but might point you onto something else.
thanks for the reply...
yup, gnu/linux does all those things... i'm using netfilter to limit the routing to certain mac and ip addresses, and dhcpd gives-out leases only to the mac addresses in it's conf... but none of that prevents a host from not using the dhcp server and instead giving itself it's ip address statically and being able to connect to the internet...
i think what i'm looking for is a system that dynamically updates my iptables rules depending on the content of my /var/state/dhcp/dhcp.leases file...
Originally posted by peter_robb In theory, you can scan your dhcp.leases file for valid entries and MAC addresses, then by script insert them in a specific FORWARD chain..
thanks so much for the input, i really appreciate it...
this sounds exactly like what i want to do...
Quote:
iptables -N mac_ok
iptables -A FORWARD -i ethx -j mac_ok
iptables -I mac_ok -m mac --mac-source 00:00:00:00:00:01 -j RETURN
iptables -A mac-ok -j REJECT --reject-with icmp-net-prohibited
The only rules to be saved in the startup script would be the permanent MAC addresses, the first 2 rules and the last rule.
The Insert rule comes from the dhcp script..
The key element is scanning the leases file after a new lease is given, and after a lease expires.
okay, let me see if i understand this correctly before i attempt to create the script...
i create a chain called "mac_ok" and call it at the forefront of my FORWARD chain... mac_ok's last rule is a REJECT or a DROP... then i use a script to scan (using grep, etc.) my dhcp.leases file for my lan's mac addresses, and if the mac address is found in the dhcp.leases file, then a RETURN rule is inserted before the DROP/REJECT rule so the packets will hence keep traveling through the FORWARD chain as usual... if the script doesn't find the mac address in the dhcpd.leases file, then it's rule in the mac_ok chain is deleted using "iptables -D"...
does this sound about right to you??
also, would you use cron to run this script every so often or do you suggest some other way??
i'm not sure how to make it so the script is run every time a lease is given or expired...
The script would need to be run at the end of the dhcp lease issue, which means dhcpd would need to do it.. otherwise the time lag would be too great before getting access..
Not all dhcp servers can do a 'post-lease' action, so a little bit of searching will be required..
Originally posted by peter_robb Yup.. well understood..
The script would need to be run at the end of the dhcp lease issue, which means dhcpd would need to do it.. otherwise the time lag would be too great before getting access..
Not all dhcp servers can do a 'post-lease' action, so a little bit of searching will be required..
cool... thanks!!
i've been googling about running a script when dhcp gives a lease or expires one but i haven't had much luck...
it's a tough google... lol...
in the meantime, i wanted to get your opinion on a different approach:
what if the script monitors the dhcpd.leases file for changes?? if it sees the file changed, it does it's thing, etc...
i was thinking maybe it could run the dhcpd.leases file through an md5sum every 5 seconds to check, for example...
does that sound like a good idea to you??
i think it could work if the only thing that happens when a lease expires is that it's entry in dhcpd.leases is removed, but i'm not sure if that's the way it is...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.