LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Is it possible manage all ip's connections with dhcp? (https://www.linuxquestions.org/questions/linux-newbie-8/is-it-possible-manage-all-ips-connections-with-dhcp-724345/)

gixnex 05-07-2009 03:41 AM
Is it possible manage all ip's connections with dhcp?
 
Hi all,

This is my first post here, here it goes!


I'm trying to manage all ip connections(private network) with a dhcp server. I can filter all addresses by mac, but I don't know how to forbid static ip connections. Can you give me a clue how to deal with this issue?

Thanks.

linuxlover.chaitanya 05-07-2009 04:08 AM
Welcome to LQ.

Can you state clearly what your problem is? I can not understand what you are trying to do and what you are doing and what issue you are facing.

repo 05-07-2009 04:17 AM
This can not be done with the dhcp server.
Seems to me you need a kind of access control, so people first login, and then get the IP.

gixnex 05-07-2009 05:17 AM
Second attempt,

I'm trying to manage my office network range 192.168.1.0/24 all with dhcp server. In dhcp.conf I can filter every ip with ethernet mask, but I cannot avoid if someone connect his laptop to network with a static ip. Repo says "Seems to me you need a kind of access control" but I don't know how.

So..

Is it possible to allow only dhcp ip pool to be used, using e.x iptables?

e.x

iptables allow all 192.168.1.2 with mask FF:FF:FF:FF:FF:FF
etc...
at the end
deny all 192.168.1.0/24

Is it possible?

linuxlover.chaitanya 05-07-2009 06:52 AM
Do you want outsiders not use your network or do you want them not to use internet from your office?
If you do not want outsiders with laptop not access internet then you can use squid to control the access to internet. But if you want everyone should always get ip address from dhcp irrespective of his status and even if you do not have any control his machine then it is difficult for you to control that way. One way is to use sub-netting so that no one outside your office knows exactly what netmask you use though this is not a full proof solution.
I am bit confused with the example that you put.

repo 05-07-2009 07:06 AM
Quote:
Is it possible to allow only dhcp ip pool to be used, using e.x iptables?
Once people know the pool, the can take an IP from the pool to connect.

farslayer 05-07-2009 07:17 AM
This question would have been better suited for the Network or Security forum rather than Newbies.. :)

What you are looking for is called 802.1x or port-based Network Access Control http://en.wikipedia.org/wiki/802.1x

This should get you started..

http://tldp.org/HOWTO/8021X-HOWTO/
http://www.linuxjournal.com/article/8320
http://vuksan.com/linux/dot1x/802-1x-LDAP.html
http://www.stevens.edu/itwiki/cgi-bi...p/Linux_802.1x

This is really what you need to secure the network against outsiders connecting.

Security through obscurity (limited netmask, pool size etc..) reallly isn't a form of security at all ..


Some vendor implementations of NAC allow you to check the client machine to make sure it's up to date, fully patched, has the latest active AV or other security measures, etc..and if not it pushes those items out to their machine automatically (if it knows who they are) once the machine is updated it's allowed to connect to the Internal network.


All times are GMT -5. The time now is 05:50 AM.