LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-05-2005, 10:32 AM   #1
Sevensins
LQ Newbie
 
Registered: Nov 2004
Location: Pakistan
Posts: 24

Rep: Reputation: 15
Mac Address Verification


HI!
I am running a transparent box FC2 with squid 2.5 stable9.
I have implemented the mac check script with a little added spice that now I have binded an ip to a mac.

the problem is that the user can change their ips and mac addresses..uhhhh.....
Need to have some kind of reverse probe system to avoid this so the closed client remains closed even if he/she changes the ip and mac to an allowed clients record..


********************************************************
/sbin/iptables --flush
/sbin/iptables --table nat --flush
/sbin/iptables --delete-chain
/sbin/iptables --table nat --delete-chain
/sbin/iptables -F -t nat
/sbin/iptables -F -t mangle
/sbin/iptables -X -t nat
/sbin/iptables -X -t mangle
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 >/proc/sys/net/ipv4/conf/all/rp_filter
echo 0 >/proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 8388608 > /proc/sys/net/core/wmem_max
echo 8388608 > /proc/sys/net/core/rmem_max
echo "4096 87380 4194304" > /proc/sys/net/ipv4/tcp_rmem
echo "4096 65536 4194304" > /proc/sys/net/ipv4/tcp_wmem

#ALLOW USERS
/sbin/iptables -I INPUT -p all -s $IP -m mac --mac-source $MAC -j ACCEPT
/sbin/iptables -I FORWARD -p all -s $IP -m mac --mac-source $MAC -j ACCEPT

#DENY USERS
/sbin/iptables -I INPUT -p all -s $IP -m mac --mac-source $MAC -j DROP
/sbin/iptables -I FORWARD -p all -s $IP -m mac --mac-source $MAC -j REJECT
********************************************************

now the same old question....
will the user be stoped even if they change their IP address and MAC address to an ip and mac address of an allowed user cause I did a test..
I blocked my own winxp systems ip and mac... then chenged my ip and mac (XP system) to an ip and mac of a client that was in the allowd list...
I started using the net...ufff.....

plz any directions pointers.... im all eyes and ears


any help in this regard will be much appreciated...
 
Old 04-05-2005, 01:39 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Take a look at arpwatch and arpstar. They both keep track of MAC-IP pairings and will notify you if it detects any changes or ARP poisoning. I haven't tried out Arpstar yet, but it looks like it can take some more pro-active measures when it detects anomalous traffic.
 
Old 04-05-2005, 11:45 PM   #3
Sevensins
LQ Newbie
 
Registered: Nov 2004
Location: Pakistan
Posts: 24

Original Poster
Rep: Reputation: 15
thanx a lot!! i will try it....
 
Old 05-11-2005, 06:03 AM   #4
ivanatora
Member
 
Registered: Sep 2003
Location: Bulgaria
Distribution: Ubuntu 9.10, FreeBSD 7.2
Posts: 459

Rep: Reputation: 32
Code:
#ALLOW USERS
/sbin/iptables -I INPUT -p all -s $IP -m mac --mac-source $MAC -j ACCEPT
/sbin/iptables -I FORWARD -p all -s $IP -m mac --mac-source $MAC -j ACCEPT

#DENY USERS
/sbin/iptables -I INPUT -p all -s $IP -m mac --mac-source $MAC -j DROP
/sbin/iptables -I FORWARD -p all -s $IP -m mac --mac-source $MAC -j REJECT
These rules seem wrong. The INPUT chain doesn't have anything to do with internet sharing. You should use the PREROUTING chain for mac matching.
 
Old 05-11-2005, 03:04 PM   #5
michaelsanford
Member
 
Registered: Feb 2005
Location: Ottawa/Montréal
Distribution: Slackware + Darwin (MacOS X)
Posts: 468

Rep: Reputation: 30
I have a feeling he used the INPUT chain because it's a transparent proxy, but you're right, it should be PREROUTING. The PREROUTING chain is processed before the INPUT chain anyway. Note that you need to append it to the nat table, like so
Code:
iptables -t nat -A PREROUTING <your rules>
There is, however, another potential problem with your firewall rules: why are you inserting instead of appending them? The -I directive tells iptables to put the rule at the top of the rule chain, so other rules in the same chain that come after won't be processed (becasue the packet will either be accepted or dropped, if they match those MAC rules, which I assume are exhaustive for your network).
 
Old 05-12-2005, 01:25 AM   #6
ivanatora
Member
 
Registered: Sep 2003
Location: Bulgaria
Distribution: Ubuntu 9.10, FreeBSD 7.2
Posts: 459

Rep: Reputation: 32
Anyway, there is easier way to do MAC restricting
See man arp, the "-f" option. There you don't load iptables with useless rules.. the arp table always exist, so why don't use it
 
Old 05-12-2005, 02:02 AM   #7
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
I'd stick with one of the two software that I posted earlier. Having arp poisoning occurring on an internal LAN is certainly something that should set off major redflags and you should want to know about immediately. Using arp -f is going to load a static arp table that you need to manually update everytime a new host is added and will also leave you blind to an arp poisoning attack occurring on the internal LAN. Plus arpstar has several features to protect the arp table in situations where it feels a poisoning might be occurring.

I'd also be very hesistant to do any type of filtering in the nat PREROUTING chain unless I knew for certain that packets were somehow being altered before they hit the FORWARD chain. The problem with filtering in the nat table chains is that only the first packet in a stream is checked and all subsequent packets are passed. In FORWARD all subsequent packets will be checked too. So unless I had a specific reason to filter in PREROUTING, I'd do so in FORWARD. There is actually a note in most of the netfilter guides not to filter in PREROUTING for that very reason
 
Old 05-17-2005, 06:42 AM   #8
ddaas
Member
 
Registered: Oct 2004
Location: Romania
Distribution: Ubuntu server, FreeBsd
Posts: 474

Rep: Reputation: 30
You could restrict the network access at the switch. There are switches which act as a RADIUS server.
If your switch supports RADIUS authentication I think this is the best method.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to find an IP address from the MAC address of a remote machine ? jitz Linux - General 3 01-03-2006 07:55 AM
How to find IP address of a machine if I know their MAC Address dysenteryduke Linux - Networking 13 09-12-2005 10:21 AM
How to find MAC address of a specified IP address ? longtongfish Programming 1 07-12-2005 03:26 PM
how to get ip address, broadcast address, mac address of a machine sumeshstar Programming 2 03-12-2005 04:33 AM
DHCP Server MAC Address found, IP address not assigned wmburke Linux - Wireless Networking 17 11-17-2004 10:33 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:40 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration