Slackware This Forum is for the discussion of Slackware Linux.
|
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
02-08-2014, 01:05 AM
|
#1
|
MLED Founder
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: CentOS, OpenSUSE
Posts: 3,453
|
Keep smartphones from connecting to a server?
Hi,
I'm currently negotiating with the IT manager of a big school in Nīmes. He wants to resolve a series of problems. Most of them (like traffic shaping, web content filtering) I know how to deal with, but one question is puzzling me. Is there a way to block smartphones like iPhones from connecting to the school's wifi? On their current hardware (a simple router) every smartphone appears as "iphone2". This router will eventually be replaced by a Slackware gateway/firewall/proxy/filter. DHCP, DNS, NTP and all services will run on this Slackware server.
Any idea if something like that would be possible?
Last edited by kikinovak; 02-08-2014 at 01:07 AM.
|
|
|
02-08-2014, 01:30 AM
|
#2
|
Member
Registered: Oct 2003
Location: West Midlands, UK
Distribution: Slackware 14 (Server),OpenSuse 13.2 (Laptop & Desktop),, OpenSuse 13.2 on the wifes lappy
Posts: 781
Rep:
|
Give everything static IP's only and disable router dhcp server would be the simplest of solutions I would have thought.
|
|
|
02-08-2014, 01:50 AM
|
#3
|
Senior Member
Registered: Jul 2004
Location: Jogja, Indonesia
Distribution: Slackware-Current
Posts: 4,815
|
MAC address filtering?
|
|
|
02-08-2014, 04:08 AM
|
#4
|
MLED Founder
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: CentOS, OpenSUSE
Posts: 3,453
Original Poster
|
Quote:
Originally Posted by vdemuth
Give everything static IP's only and disable router dhcp server would be the simplest of solutions I would have thought.
|
There are roughly 300 students, and everyone has a laptop.
|
|
|
02-08-2014, 04:32 AM
|
#5
|
Member
Registered: Oct 2003
Location: West Midlands, UK
Distribution: Slackware 14 (Server),OpenSuse 13.2 (Laptop & Desktop),, OpenSuse 13.2 on the wifes lappy
Posts: 781
Rep:
|
300 is not really very many static IPs to hand out and is a pretty simple function for the IT department to manage.
Maybe you should offer to do this for them, for a fee of course and continue to offer consultancy for new and leaving students to keep a tight control on ip allocations. You might even sell it to them as a value added service.
|
|
|
02-08-2014, 04:48 AM
|
#6
|
MLED Founder
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: CentOS, OpenSUSE
Posts: 3,453
Original Poster
|
Quote:
Originally Posted by willysr
MAC address filtering?
|
This sounds like a good idea. I'll have to do some research if iptables can filter partial MAC addresses using wildcards.
|
|
|
02-08-2014, 02:40 PM
|
#7
|
Member
Registered: Oct 2003
Location: West Midlands, UK
Distribution: Slackware 14 (Server),OpenSuse 13.2 (Laptop & Desktop),, OpenSuse 13.2 on the wifes lappy
Posts: 781
Rep:
|
Hmmm,
Just be careful that the clever students don't resort to mac spoofing which as we know is pretty easy to do.
|
|
|
02-08-2014, 02:56 PM
|
#8
|
MLED Founder
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: CentOS, OpenSUSE
Posts: 3,453
Original Poster
|
Quote:
Originally Posted by vdemuth
Hmmm,
Just be careful that the clever students don't resort to mac spoofing which as we know is pretty easy to do.
|
On a smartphone?
|
|
|
02-08-2014, 02:57 PM
|
#9
|
MLED Founder
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: CentOS, OpenSUSE
Posts: 3,453
Original Poster
|
Quote:
Originally Posted by willysr
MAC address filtering?
|
I guess this is the way to go. I just found the following document:
http://www.isalo.org/wiki.debian-fr/...27adresses_MAC
I'll check this out another day, with a clear head.
|
|
|
02-08-2014, 03:07 PM
|
#10
|
Member
Registered: Apr 2011
Location: British Columbia, Canada
Posts: 304
Rep:
|
Quote:
Originally Posted by kikinovak
On a smartphone?
|
It is on Android.
|
|
|
02-08-2014, 03:41 PM
|
#11
|
Senior Member
Registered: Sep 2009
Location: Leinster, IE
Distribution: Slackware, NetBSD
Posts: 2,240
|
Quote:
Originally Posted by kikinovak
Hi,
I'm currently negotiating with the IT manager of a big school in Nīmes. He wants to resolve a series of problems. Most of them (like traffic shaping, web content filtering) I know how to deal with, but one question is puzzling me. Is there a way to block smartphones like iPhones from connecting to the school's wifi? On their current hardware (a simple router) every smartphone appears as "iphone2". This router will eventually be replaced by a Slackware gateway/firewall/proxy/filter. DHCP, DNS, NTP and all services will run on this Slackware server.
Any idea if something like that would be possible?
|
BSD packet filters can do OS fingerprinting to block based on source operating system. I'd be surprised if netfilter didn't have something similar, although when it comes to firewalls I stay as far away as possible from the Linux netfilter mess, so I'm afraid I can't be of any more use to you.
;-)
|
|
|
02-08-2014, 04:01 PM
|
#12
|
Slackware Contributor
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559
|
I would let everyone register their laptop, so that you know all allowed laptop MAC addresses.
You can then add host definitions (with pre-defined IP addresses for the registered MAC addresses) for all these computers to your server's dhcpd.conf and put all of them in one pool definition.
All other DHCP clients (the 'unknown' ones) get a separate pool, including characteristics like separate IP address ranges, another default gateway, and perhaps traffic routed through a caching and filtering (transparent) proxy.
Put the IP ranges for the 'unknown' devices in a separate VLAN if the switches support it, and apply different QoS for the unknowns so that registered clients have better speeds, different or no internet filters, and lower latency.
Yes, MAC addresses can be spoofed, but actually if a student can pull that off, I'd know I had to watch him better. You can write some scripts that connect (using nmap for instalce) to IP addresses of registered computers and perform OS fingerprinting on all of them. Then highlight the ones that show non-Slackware or non-Windows OS and talk to the kids to whom the MAC address is registered to.
With some creativity you can set up a system that needs minimal support (you can write a web form to add or delete hosts to the DHCP server configuration and leave the administration to the school's IT manager).
Eric
|
|
1 members found this post helpful.
|
02-08-2014, 04:27 PM
|
#13
|
Senior Member
Registered: May 2008
Location: Romania
Distribution: DARKSTAR Linux 2008.1
Posts: 2,727
|
Lets be pragmatics... Do it PPPOE over WLAN. Combine it MAC checking. You got am user/password? First time when you are connected, your MAC is matched with them.
Everyone have an user and password. If one of them make that information public, you/they have an ass to kick.
Last edited by Darth Vader; 02-08-2014 at 04:36 PM.
|
|
|
02-08-2014, 04:30 PM
|
#14
|
MLED Founder
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: CentOS, OpenSUSE
Posts: 3,453
Original Poster
|
Quote:
Originally Posted by Alien Bob
I would let everyone register their laptop, so that you know all allowed laptop MAC addresses.
You can then add host definitions (with pre-defined IP addresses for the registered MAC addresses) for all these computers to your server's dhcpd.conf and put all of them in one pool definition.
|
I'm already using a similar setup in two smaller schools here. While on paper it seems an elegant solution, in everyday's practical life it is quite time-consuming.
|
|
|
02-09-2014, 12:05 PM
|
#15
|
Member
Registered: Jan 2011
Location: Czech Republic
Distribution: Slackware, Gentoo, FreeBSD
Posts: 176
Rep:
|
Quote:
Originally Posted by kikinovak
I'm already using a similar setup in two smaller schools here. While on paper it seems an elegant solution, in everyday's practical life it is quite time-consuming.
|
Not really time-consuming if you put some effort into automating things. I use something similar in smaller network (~200 users) and apart time spent on building and testing it first, it just works without any extra involvement. Whole "system" consist of one server with web aplication where you can register people and computers, database server and router (Slackware of course) with simple application that create new iptables and dhcpd config from template with data from database, replace actual config files and reload iptables and dhcpd rules. It's event based so rules are reloaded only when needed (no cron involved).
|
|
|
All times are GMT -5. The time now is 10:51 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|