Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I want that specific MAC address can bypass the proxy..
means no need to give the proxy settings while remaining network computers should go through proxy..
I want that specific MAC address can bypass the proxy..
means no need to give the proxy settings while remaining network computers should go through proxy..
rashid_47010, I've pruned your post from where you originally posted. Please don't resurrect dead threads and/or hijack other people's threads. If your users currently specify the proxy server address in their programs, then you could create and iptables FORWARD rule like this for the MAC:
Code:
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -m state --state NEW \
-m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
This lets that MAC get its packets forwarded, thereby eliminating the need for it to be proxied. Keep in mind that if any client on your LAN has administrative privileges on their host, then spoofing this allowed MAC address would be a breeze for them (allowing them to bypass the proxy).
Last edited by win32sux; 08-04-2009 at 06:45 AM.
Reason: Spelling/grammar.
I just mention that MAC in DHCP server (dhcpd.conf at location /etc/dhcpd.conf) and under that MAC I set the router's IP as gateway.........
This is a very unusual way to achieve the goal you laid out. I mean, you're basically allowing any host to use the router as long as they set its IP as their gateway. It does sound like it would work, though. That is, as long as you have administrative control over every single host (otherwise, simply setting the gateway address would allow anyone to bypass your proxy). Personally, I would never do such a thing without having a network firewall re-enforcing the whole thing.
I configure DHCP server in which every users in my network have the gateway as the IP of proxy server(machine)
e.g. 192.168.xx.abc
255.255.255.0
Gateway: proxy server Machine IP
only for that specific IP I mention the router IP as gateway(Router's IP)
Hopefully now U understand the basic idea behind the scene....
I configure DHCP server in which every users in my network have the gateway as the IP of proxy server(machine)
e.g. 192.168.xx.abc
255.255.255.0
Gateway: proxy server Machine IP
only for that specific IP I mention the router IP as gateway(Router's IP)
Hopefully now U understand the basic idea behind the scene....
I configure DHCP server in which every users in my network have the gateway as the IP of proxy server(machine)
e.g. 192.168.xx.abc
255.255.255.0
Gateway: proxy server Machine IP
only for that specific IP I mention the router IP as gateway(Router's IP)
Hopefully now U understand the basic idea behind the scene....
looking forward for any valuable suggestion.
Actually, I understood you fine the first time, so my comments still stand.
Like I said, this sounds okay as long as none of your users have administrative privileges on their boxes. That said, even if they don't have administrative privileges, it's still quite easy for them to carry a DHCP server in their pocket and plug their hosts into it to configure their gateway address in order to bypass your proxy (unless you've got physical controls in place too). This is one reason why using a DHCP server for access restrictions is not a good idea (wrong tool for the job).
Quote:
:INPUT ACCEPT [273:55355] % what does this mean
:FORWARD ACCEPT [0:0] % what does this mean
:LOGNDROP - [0:0] % what does this mean
:OUTPUT ACCEPT [92376:20668252]
The first field is the chain name; the second is the policy; the third are the packet/byte counters.
Sir,
I got your point that if some users have the administrative privilege to their boxes so they can easily change their IP settings.............
U R RIGHT....
for understanding this I configure the CentOS 5 at my home and yesterday I got the internet connection too...
so will practicing at home...... and thanks for guiding me..
Understood but what about the numbers within the brackets e.g. [273:55355]
Let me guess.............. THESE are the PORT NUMBERS...
yesterday I put
iptables -P INPUT DROP
in my iptables script
then what happened that through proxy I can't ping to any other machine nor users can ping to proxy server.........
means stop every thing(NO BROWSING, NO MAILS send/receive)
I think this line is used to drop all the incoming packets and then in next lines u specify which ports need to be opened and etc.........
Sir,
I got your point that if some users have the administrative privilege to their boxes so they can easily change their IP settings.............
U R RIGHT....
for understanding this I configure the CentOS 5 at my home and yesterday I got the internet connection too...
so will practicing at home...... and thanks for guiding me..
Right, they can either use administrative privileges or simply have the box use a rogue DHCP server.
Understood but what about the numbers within the brackets e.g. [273:55355]
Let me guess.............. THESE are the PORT NUMBERS...
No. Like I said in my previous post, they are packet and byte counters. They represent the amount of packets/bytes which have run into the chain's policy.
Quote:
yesterday I put
iptables -P INPUT DROP
in my iptables script
then what happened that through proxy I can't ping to any other machine nor users can ping to proxy server.........
means stop every thing(NO BROWSING, NO MAILS send/receive)
I think this line is used to drop all the incoming packets and then in next lines u specify which ports need to be opened and etc.........
If you set the INPUT policy to DROP with the configuration you posted earlier, only TCP ports 22 and 80 on the box itself would be accessible. I recommend you read a good tutorial such as this one in order to understand how iptables works.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
