How can I authenticate ethernet users before they use network
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I see a lot of suggestions for Squid Proxy as a solution to restrict Internet usage. It sounds like you would rather prevent them from even connecting to your network, in which case you could whitelist your DHCP list, use an ACL on a switch or router if you have one that supports it. Restricting the DHCP could possibly be bypassed by simply setting an IP rather than requesting one be assigned.
You could arrange dhcpd to only hand out static leases, and have iptables dynamically allow connections from the allocated IPs and block everything else.
Unfortunately, this would be very time-critical, as the DHCP-ACK packet will contain the source address just handed out.
Have you considered using iptables to allow only specific MACs to use your server? Like (example):
iptables -A INPUT -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
iptables -A INPUT -m mac --mac-source YY:YY:YY:YY:YY:YY -j ACCEPT
iptables -A INPUT -m mac --mac-source ZZ:ZZ:ZZ:ZZ:ZZ:ZZ -j ACCEPT
iptables -A INPUT -j DROP