Setup a secure DHCP server

carl0ski · 02-22-2007, 07:53 PM

Any suggestions of the best way to configure a DHCP server?

In a perfect world i want to create a text list of
20 MAC Addresses
and allow any of these addresses to use one of the 15 pooled IP Addresses
all other MACs are blocked

I would like to a avoid IP Reservations (like windows 2003 does)
1 MAC address is permanently bound to 1 IP Address. since it is more difficult to prevent being stale

Any suggestions on methods to prevent intruders? while still allowing authorised guests to access my DHCP

win32sux · 02-24-2007, 11:04 PM

is this a wired or wireless network?? have you considered setting-up dnsmasq with your 15 IPs and then using iptables to allow access (both to the server and to the WAN) only for the MACs you want??

carl0ski · 02-25-2007, 08:01 PM

Quote:

Originally Posted by win32sux

is this a wired or wireless network?? have you considered setting-up dnsmasq with your 15 IPs and then using iptables to allow access (both to the server and to the WAN) only for the MACs you want??

it is wired but doesnt really matter since it is at equal risk of someone plugging in.

just so i'm clear

1. Create DHCP server?
2. Create a pool of addresses?
3. Setup a firewall to block unknown MAC Addresses from the DHCP server (port 67?)

thanks

win32sux · 02-25-2007, 08:13 PM

Quote:

Originally Posted by carl0ski

it is wired but doesnt really matter since it is at equal risk of someone plugging in.

okay...

Quote:

1. Create DHCP server?

by installing dnsmasq...

Quote:

2. Create a pool of addresses?

by using dnsmasq's --dhcp-range option...

Quote:

3. Setup a firewall to block unknown MAC Addresses from the DHCP server (port 67?)

yes... by using rules such as (for example):

Code:

iptables -P INPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 \
-m mac --mac-source ex:ex:ex:ex:ex:ex -j ACCEPT

iptables -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 \
-m mac --mac-source sw:sw:sw:sw:sw:sw -j ACCEPT

iptables -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 \
-m mac --mac-source vf:vf:vf:vf:vf:vf -j ACCEPT

# Etc, etc, etc...

i'd also make sure only those MACs get access to the WAN/Internet with:

Code:

iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE \
-m mac --mac-source ex:ex:ex:ex:ex:ex \
-m state --state NEW -j ACCEPT

iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE \
-m mac --mac-source ws:ws:ws:ws:ws:ws \
-m state --state NEW -j ACCEPT

iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE \
-m mac --mac-source uj:uj:uj:uj:uj:uj \
-m state --state NEW -j ACCEPT

# Etc, etc, etc...

iptables -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE

win32sux · 02-25-2007, 08:44 PM

BTW, regarding the WAN/Internet access: normally you'd match both MAC and IP in one rule, like:

Code:

iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE \
-s 192.168.1.12 -m mac --mac-source yh:yh:yh:yh:yh:yh -j ACCEPT

but since you don't want to do the static leases, what you could do is have one chain check that the MAC is valid (one of your 20 MACs), and then have another chain check that the IP is from the DHCP range you are using, kinda like:

Code:

iptables -N CHECK
iptables -N CHECK_MAC
iptables -N CHECK_IP

iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE \
-m state --state NEW -j CHECK

iptables -A CHECK -j CHECK_MAC
iptables -A CHECK -j CHECK_IP
iptables -A CHECK -j ACCEPT

iptables -A CHECK_MAC -m mac --mac-source \
ex:ex:ex:ex:ex:ex -j RETURN
iptables -A CHECK_MAC -m mac --mac-source \
ax:ax:ax:ax:ax:ax -j RETURN
iptables -A CHECK_MAC -m mac --mac-source \
ty:ty:ty:ty:ty:ty -j RETURN
# Etc, etc, etc...
iptables -A CHECK_MAC -j DROP

iptables -A CHECK_IP -m iprange --src-range \
192.168.1.2-192.168.1.17 -j RETURN
iptables -A CHECK_IP -j DROP

iptables -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE