Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free. |
|
 |
02-22-2007, 07:53 PM
|
#1
|
|
Member
Registered: Sep 2004
Location: Melbourne, Victoria Australia
Distribution: Support those that support you :)
Posts: 872
Rep: 
|
Setup a secure DHCP server
Any suggestions of the best way to configure a DHCP server?
In a perfect world i want to create a text list of
20 MAC Addresses
and allow any of these addresses to use one of the 15 pooled IP Addresses
all other MACs are blocked
I would like to a avoid IP Reservations (like windows 2003 does)
1 MAC address is permanently bound to 1 IP Address. since it is more difficult to prevent being stale
Any suggestions on methods to prevent intruders? while still allowing authorised guests to access my DHCP
|
|
|
|
|
02-24-2007, 11:04 PM
|
#2
|
|
Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
is this a wired or wireless network?? have you considered setting-up dnsmasq with your 15 IPs and then using iptables to allow access (both to the server and to the WAN) only for the MACs you want??
Last edited by win32sux; 02-25-2007 at 12:29 AM.
|
|
|
|
|
02-25-2007, 08:01 PM
|
#3
|
|
Member
Registered: Sep 2004
Location: Melbourne, Victoria Australia
Distribution: Support those that support you :)
Posts: 872
Original Poster
Rep:
|
Quote:
|
Originally Posted by win32sux
is this a wired or wireless network?? have you considered setting-up dnsmasq with your 15 IPs and then using iptables to allow access (both to the server and to the WAN) only for the MACs you want?? |
it is wired but doesnt really matter since it is at equal risk of someone plugging in.
just so i'm clear
1. Create DHCP server?
2. Create a pool of addresses?
3. Setup a firewall to block unknown MAC Addresses from the DHCP server (port 67?)
thanks |
|
|
|
|
02-25-2007, 08:13 PM
|
#4
|
|
Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
|
Originally Posted by carl0ski
it is wired but doesnt really matter since it is at equal risk of someone plugging in.
|
okay...
by installing dnsmasq...
Quote:
|
2. Create a pool of addresses?
|
by using dnsmasq's --dhcp-range option...
Quote:
|
3. Setup a firewall to block unknown MAC Addresses from the DHCP server (port 67?)
|
yes... by using rules such as (for example):
Code:
iptables -P INPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 \
-m mac --mac-source ex:ex:ex:ex:ex:ex -j ACCEPT
iptables -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 \
-m mac --mac-source sw:sw:sw:sw:sw:sw -j ACCEPT
iptables -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 \
-m mac --mac-source vf:vf:vf:vf:vf:vf -j ACCEPT
# Etc, etc, etc...
i'd also make sure only those MACs get access to the WAN/Internet with:
Code:
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE \
-m mac --mac-source ex:ex:ex:ex:ex:ex \
-m state --state NEW -j ACCEPT
iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE \
-m mac --mac-source ws:ws:ws:ws:ws:ws \
-m state --state NEW -j ACCEPT
iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE \
-m mac --mac-source uj:uj:uj:uj:uj:uj \
-m state --state NEW -j ACCEPT
# Etc, etc, etc...
iptables -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
Last edited by win32sux; 02-26-2007 at 11:42 AM.
|
|
|
|
|
02-25-2007, 08:44 PM
|
#5
|
|
Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
BTW, regarding the WAN/Internet access: normally you'd match both MAC and IP in one rule, like:
Code:
iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE \
-s 192.168.1.12 -m mac --mac-source yh:yh:yh:yh:yh:yh -j ACCEPT
but since you don't want to do the static leases, what you could do is have one chain check that the MAC is valid (one of your 20 MACs), and then have another chain check that the IP is from the DHCP range you are using, kinda like:
Code:
iptables -N CHECK
iptables -N CHECK_MAC
iptables -N CHECK_IP
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE \
-m state --state NEW -j CHECK
iptables -A CHECK -j CHECK_MAC
iptables -A CHECK -j CHECK_IP
iptables -A CHECK -j ACCEPT
iptables -A CHECK_MAC -m mac --mac-source \
ex:ex:ex:ex:ex:ex -j RETURN
iptables -A CHECK_MAC -m mac --mac-source \
ax:ax:ax:ax:ax:ax -j RETURN
iptables -A CHECK_MAC -m mac --mac-source \
ty:ty:ty:ty:ty:ty -j RETURN
# Etc, etc, etc...
iptables -A CHECK_MAC -j DROP
iptables -A CHECK_IP -m iprange --src-range \
192.168.1.2-192.168.1.17 -j RETURN
iptables -A CHECK_IP -j DROP
iptables -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
Last edited by win32sux; 02-26-2007 at 11:47 AM.
|
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 05:20 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
