LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 02-08-2014, 12:05 AM   #1
kikinovak
Senior Member
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: Slackware, Slackware64
Posts: 1,756

Rep: Reputation: 851Reputation: 851Reputation: 851Reputation: 851Reputation: 851Reputation: 851Reputation: 851
Keep smartphones from connecting to a server?


Hi,

I'm currently negotiating with the IT manager of a big school in Nīmes. He wants to resolve a series of problems. Most of them (like traffic shaping, web content filtering) I know how to deal with, but one question is puzzling me. Is there a way to block smartphones like iPhones from connecting to the school's wifi? On their current hardware (a simple router) every smartphone appears as "iphone2". This router will eventually be replaced by a Slackware gateway/firewall/proxy/filter. DHCP, DNS, NTP and all services will run on this Slackware server.

Any idea if something like that would be possible?

Last edited by kikinovak; 02-08-2014 at 12:07 AM.
 
Old 02-08-2014, 12:30 AM   #2
vdemuth
Member
 
Registered: Oct 2003
Location: West Midlands, UK
Distribution: Slackware 14 (Server),Suse 13.1 (Desktop),, Mepis on the wifes lappy
Posts: 768

Rep: Reputation: 92
Give everything static IP's only and disable router dhcp server would be the simplest of solutions I would have thought.
 
Old 02-08-2014, 12:50 AM   #3
willysr
Senior Member
 
Registered: Jul 2004
Location: Jogja, Indonesia
Distribution: Slackware-Current
Posts: 2,580

Rep: Reputation: 431Reputation: 431Reputation: 431Reputation: 431Reputation: 431
MAC address filtering?
 
Old 02-08-2014, 03:08 AM   #4
kikinovak
Senior Member
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: Slackware, Slackware64
Posts: 1,756

Original Poster
Rep: Reputation: 851Reputation: 851Reputation: 851Reputation: 851Reputation: 851Reputation: 851Reputation: 851
Quote:
Originally Posted by vdemuth View Post
Give everything static IP's only and disable router dhcp server would be the simplest of solutions I would have thought.
There are roughly 300 students, and everyone has a laptop.
 
Old 02-08-2014, 03:32 AM   #5
vdemuth
Member
 
Registered: Oct 2003
Location: West Midlands, UK
Distribution: Slackware 14 (Server),Suse 13.1 (Desktop),, Mepis on the wifes lappy
Posts: 768

Rep: Reputation: 92
300 is not really very many static IPs to hand out and is a pretty simple function for the IT department to manage.

Maybe you should offer to do this for them, for a fee of course and continue to offer consultancy for new and leaving students to keep a tight control on ip allocations. You might even sell it to them as a value added service.
 
Old 02-08-2014, 03:48 AM   #6
kikinovak
Senior Member
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: Slackware, Slackware64
Posts: 1,756

Original Poster
Rep: Reputation: 851Reputation: 851Reputation: 851Reputation: 851Reputation: 851Reputation: 851Reputation: 851
Quote:
Originally Posted by willysr View Post
MAC address filtering?
This sounds like a good idea. I'll have to do some research if iptables can filter partial MAC addresses using wildcards.
 
Old 02-08-2014, 01:40 PM   #7
vdemuth
Member
 
Registered: Oct 2003
Location: West Midlands, UK
Distribution: Slackware 14 (Server),Suse 13.1 (Desktop),, Mepis on the wifes lappy
Posts: 768

Rep: Reputation: 92
Hmmm,

Just be careful that the clever students don't resort to mac spoofing which as we know is pretty easy to do.
 
Old 02-08-2014, 01:56 PM   #8
kikinovak
Senior Member
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: Slackware, Slackware64
Posts: 1,756

Original Poster
Rep: Reputation: 851Reputation: 851Reputation: 851Reputation: 851Reputation: 851Reputation: 851Reputation: 851
Quote:
Originally Posted by vdemuth View Post
Hmmm,

Just be careful that the clever students don't resort to mac spoofing which as we know is pretty easy to do.
On a smartphone?
 
Old 02-08-2014, 01:57 PM   #9
kikinovak
Senior Member
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: Slackware, Slackware64
Posts: 1,756

Original Poster
Rep: Reputation: 851Reputation: 851Reputation: 851Reputation: 851Reputation: 851Reputation: 851Reputation: 851
Quote:
Originally Posted by willysr View Post
MAC address filtering?
I guess this is the way to go. I just found the following document:

http://www.isalo.org/wiki.debian-fr/...27adresses_MAC

I'll check this out another day, with a clear head.
 
Old 02-08-2014, 02:07 PM   #10
bosth
Member
 
Registered: Apr 2011
Posts: 229

Rep: Reputation: 68
Quote:
Originally Posted by kikinovak View Post
On a smartphone?
It is on Android.
 
Old 02-08-2014, 02:41 PM   #11
gezley
Member
 
Registered: Sep 2009
Location: Ireland
Distribution: Slackware64, NetBSD
Posts: 509

Rep: Reputation: 210Reputation: 210Reputation: 210
Quote:
Originally Posted by kikinovak View Post
Hi,

I'm currently negotiating with the IT manager of a big school in Nīmes. He wants to resolve a series of problems. Most of them (like traffic shaping, web content filtering) I know how to deal with, but one question is puzzling me. Is there a way to block smartphones like iPhones from connecting to the school's wifi? On their current hardware (a simple router) every smartphone appears as "iphone2". This router will eventually be replaced by a Slackware gateway/firewall/proxy/filter. DHCP, DNS, NTP and all services will run on this Slackware server.

Any idea if something like that would be possible?
BSD packet filters can do OS fingerprinting to block based on source operating system. I'd be surprised if netfilter didn't have something similar, although when it comes to firewalls I stay as far away as possible from the Linux netfilter mess, so I'm afraid I can't be of any more use to you.

;-)
 
Old 02-08-2014, 03:01 PM   #12
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 5,315

Rep: Reputation: Disabled
I would let everyone register their laptop, so that you know all allowed laptop MAC addresses.
You can then add host definitions (with pre-defined IP addresses for the registered MAC addresses) for all these computers to your server's dhcpd.conf and put all of them in one pool definition.
All other DHCP clients (the 'unknown' ones) get a separate pool, including characteristics like separate IP address ranges, another default gateway, and perhaps traffic routed through a caching and filtering (transparent) proxy.
Put the IP ranges for the 'unknown' devices in a separate VLAN if the switches support it, and apply different QoS for the unknowns so that registered clients have better speeds, different or no internet filters, and lower latency.

Yes, MAC addresses can be spoofed, but actually if a student can pull that off, I'd know I had to watch him better. You can write some scripts that connect (using nmap for instalce) to IP addresses of registered computers and perform OS fingerprinting on all of them. Then highlight the ones that show non-Slackware or non-Windows OS and talk to the kids to whom the MAC address is registered to.
With some creativity you can set up a system that needs minimal support (you can write a web form to add or delete hosts to the DHCP server configuration and leave the administration to the school's IT manager).

Eric
 
1 members found this post helpful.
Old 02-08-2014, 03:27 PM   #13
Darth Vader
Member
 
Registered: May 2008
Location: Romania
Distribution: DARKSTAR Linux 2008.1
Posts: 622

Rep: Reputation: 114Reputation: 114
Lets be pragmatics... Do it PPPOE over WLAN. Combine it MAC checking. You got am user/password? First time when you are connected, your MAC is matched with them.

Everyone have an user and password. If one of them make that information public, you/they have an ass to kick.

Last edited by Darth Vader; 02-08-2014 at 03:36 PM.
 
Old 02-08-2014, 03:30 PM   #14
kikinovak
Senior Member
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: Slackware, Slackware64
Posts: 1,756

Original Poster
Rep: Reputation: 851Reputation: 851Reputation: 851Reputation: 851Reputation: 851Reputation: 851Reputation: 851
Quote:
Originally Posted by Alien Bob View Post
I would let everyone register their laptop, so that you know all allowed laptop MAC addresses.
You can then add host definitions (with pre-defined IP addresses for the registered MAC addresses) for all these computers to your server's dhcpd.conf and put all of them in one pool definition.
I'm already using a similar setup in two smaller schools here. While on paper it seems an elegant solution, in everyday's practical life it is quite time-consuming.
 
Old 02-09-2014, 11:05 AM   #15
yenn
Member
 
Registered: Jan 2011
Location: Czech Republic
Distribution: Slackware, Gentoo
Posts: 156

Rep: Reputation: 21
Quote:
Originally Posted by kikinovak View Post
I'm already using a similar setup in two smaller schools here. While on paper it seems an elegant solution, in everyday's practical life it is quite time-consuming.
Not really time-consuming if you put some effort into automating things. I use something similar in smaller network (~200 users) and apart time spent on building and testing it first, it just works without any extra involvement. Whole "system" consist of one server with web aplication where you can register people and computers, database server and router (Slackware of course) with simple application that create new iptables and dhcpd config from template with data from database, replace actual config files and reload iptables and dhcpd rules. It's event based so rules are reloaded only when needed (no cron involved).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Are smartphones getting too pricey? H5X00R Linux - Mobile 30 12-14-2013 03:52 PM
Smartphones like N900? Thesniperofdeath Linux - Mobile 7 12-19-2011 09:06 AM
connecting sendmail server to Exchange server 2k3 amit_kalipur Linux - Server 0 06-11-2009 08:40 AM
Newbie question's about smartphones vinnie415 Linux - Laptop and Netbook 1 01-31-2008 05:41 PM
Looking for reviews of SmartPhones with Linux caps_phisto Linux - General 1 10-16-2007 08:25 AM


All times are GMT -5. The time now is 10:20 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration