LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 02-22-2007, 08:53 PM   #1
carl0ski
Member
 
Registered: Sep 2004
Location: Melbourne, Victoria Australia
Distribution: Support those that support you :)
Posts: 872
Blog Entries: 12

Rep: Reputation: 30
Setup a secure DHCP server


Any suggestions of the best way to configure a DHCP server?

In a perfect world i want to create a text list of
20 MAC Addresses
and allow any of these addresses to use one of the 15 pooled IP Addresses
all other MACs are blocked

I would like to a avoid IP Reservations (like windows 2003 does)
1 MAC address is permanently bound to 1 IP Address. since it is more difficult to prevent being stale


Any suggestions on methods to prevent intruders? while still allowing authorised guests to access my DHCP
 
Old 02-25-2007, 12:04 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
is this a wired or wireless network?? have you considered setting-up dnsmasq with your 15 IPs and then using iptables to allow access (both to the server and to the WAN) only for the MACs you want??

Last edited by win32sux; 02-25-2007 at 01:29 AM.
 
Old 02-25-2007, 09:01 PM   #3
carl0ski
Member
 
Registered: Sep 2004
Location: Melbourne, Victoria Australia
Distribution: Support those that support you :)
Posts: 872
Blog Entries: 12

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by win32sux
is this a wired or wireless network?? have you considered setting-up dnsmasq with your 15 IPs and then using iptables to allow access (both to the server and to the WAN) only for the MACs you want??
it is wired but doesnt really matter since it is at equal risk of someone plugging in.

just so i'm clear

1. Create DHCP server?
2. Create a pool of addresses?
3. Setup a firewall to block unknown MAC Addresses from the DHCP server (port 67?)


thanks
 
Old 02-25-2007, 09:13 PM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by carl0ski
it is wired but doesnt really matter since it is at equal risk of someone plugging in.
okay...

Quote:
1. Create DHCP server?
by installing dnsmasq...

Quote:
2. Create a pool of addresses?
by using dnsmasq's --dhcp-range option...

Quote:
3. Setup a firewall to block unknown MAC Addresses from the DHCP server (port 67?)
yes... by using rules such as (for example):
Code:
iptables -P INPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 \
-m mac --mac-source ex:ex:ex:ex:ex:ex -j ACCEPT

iptables -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 \
-m mac --mac-source sw:sw:sw:sw:sw:sw -j ACCEPT

iptables -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 \
-m mac --mac-source vf:vf:vf:vf:vf:vf -j ACCEPT

# Etc, etc, etc...
i'd also make sure only those MACs get access to the WAN/Internet with:
Code:
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE \
-m mac --mac-source ex:ex:ex:ex:ex:ex \
-m state --state NEW -j ACCEPT

iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE \
-m mac --mac-source ws:ws:ws:ws:ws:ws \
-m state --state NEW -j ACCEPT

iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE \
-m mac --mac-source uj:uj:uj:uj:uj:uj \
-m state --state NEW -j ACCEPT

# Etc, etc, etc...

iptables -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE

Last edited by win32sux; 02-26-2007 at 12:42 PM.
 
Old 02-25-2007, 09:44 PM   #5
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
BTW, regarding the WAN/Internet access: normally you'd match both MAC and IP in one rule, like:
Code:
iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE \
-s 192.168.1.12 -m mac --mac-source yh:yh:yh:yh:yh:yh -j ACCEPT
but since you don't want to do the static leases, what you could do is have one chain check that the MAC is valid (one of your 20 MACs), and then have another chain check that the IP is from the DHCP range you are using, kinda like:
Code:
iptables -N CHECK
iptables -N CHECK_MAC
iptables -N CHECK_IP

iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE \
-m state --state NEW -j CHECK

iptables -A CHECK -j CHECK_MAC
iptables -A CHECK -j CHECK_IP
iptables -A CHECK -j ACCEPT

iptables -A CHECK_MAC -m mac --mac-source \
ex:ex:ex:ex:ex:ex -j RETURN
iptables -A CHECK_MAC -m mac --mac-source \
ax:ax:ax:ax:ax:ax -j RETURN
iptables -A CHECK_MAC -m mac --mac-source \
ty:ty:ty:ty:ty:ty -j RETURN
# Etc, etc, etc...
iptables -A CHECK_MAC -j DROP

iptables -A CHECK_IP -m iprange --src-range \
192.168.1.2-192.168.1.17 -j RETURN
iptables -A CHECK_IP -j DROP

iptables -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE

Last edited by win32sux; 02-26-2007 at 12:47 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how do I setup a secure IMAP server on Red Hat 8.0? canegames Linux - Software 2 06-27-2006 01:20 AM
Trying to setup a DHCP server cwwilson721 Slackware 2 02-09-2006 03:22 AM
Best distribution for easy to setup out of the box secure web server? jimdaworm Linux - Security 11 04-05-2005 02:45 AM
DISCUSSION: HOWTO Setup a Secure Relaying Email Server DavidPhillips LinuxAnswers Discussion 20 07-30-2004 12:46 PM
Secure Mail Server Setup djkene70 Linux - Networking 3 10-14-2003 02:29 PM


All times are GMT -5. The time now is 09:55 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration