Mailinglist Archive: opensuse (2553 mails)
| < Previous | Next > |
Re: [opensuse] How to enforce IP's regardless of the clients setup.
- From: Shawn Holland <sholland@xxxxxxxxxx>
- Date: Tue, 13 May 2008 12:11:29 -0300
- Message-id: <1210691489.5550.120.camel@sholland-desktop>
Yes you can switch your MAC and IP and gain access the same as what that
MAC and IP were using before. But I can't think of any outside solutions
(non-local to the computer changing the MAC / IP) that could enforce
restrictions. Basically your the same device as what was just using
those MAC / IP.
On topic again. I have successfully created a set of iptables rules that
enforce IP's to MAC's. (only to the pool level) And I already have a
mechanism that automates the process to my requirements.
If anyone is interested:
in /etc/sysconfig/scripts/SuSEfirewall2-custom
inside fw_custom_before_masq()
#To allow specific access to a mac and ensure it is on a specific
network (stop static ip)
iptables -A INPUT -j ACCEPT -s 10.10.10.0/24 -m mac --mac-source
00:17:42:8E:F4:32
#To allow unregistered range to talk to all services on the server
iptables -A INPUT -j ACCEPT -s 10.0.0.0/24 -d 172.16.1.1/32
iptables -A INPUT -j ACCEPT -s 10.0.0.0/24 -d 10.10.10.1/32
#To deny unregistered range to talk to any registered ranges
iptables -A INPUT -j DROP -s 10.0.0.0/24 -d 172.16.1.0/24
iptables -A INPUT -j DROP -s 10.0.0.0/24 -d 10.10.10.0/24
#To deny registered traffic by default (stop static ip)
iptables -A INPUT -j DROP -s 10.10.10.0/24
iptables -A INPUT -j DROP -s 172.16.1.0/24
I have (just for testing purposes) the 172.16.1.0/24 range as a routed
pool and the other 2 as a natted pool. The 10.0.0.0/24 range is an
unregistered client range that is only masq'd for communication on DHCP,
DNS, and port 80. I then force redirect on port 80 to port 3128 and
using squid/squidGuard force through the local webserver in which they
will be required to register. Then the registration process updates and
moves them to a registered pool. Its all tested out by hand and works
exactly how I need it.
--
Regards,
Shawn Holland
On Tue, 2008-05-13 at 16:36 +0200, jdd sur free wrote:
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
MAC and IP were using before. But I can't think of any outside solutions
(non-local to the computer changing the MAC / IP) that could enforce
restrictions. Basically your the same device as what was just using
those MAC / IP.
On topic again. I have successfully created a set of iptables rules that
enforce IP's to MAC's. (only to the pool level) And I already have a
mechanism that automates the process to my requirements.
If anyone is interested:
in /etc/sysconfig/scripts/SuSEfirewall2-custom
inside fw_custom_before_masq()
#To allow specific access to a mac and ensure it is on a specific
network (stop static ip)
iptables -A INPUT -j ACCEPT -s 10.10.10.0/24 -m mac --mac-source
00:17:42:8E:F4:32
#To allow unregistered range to talk to all services on the server
iptables -A INPUT -j ACCEPT -s 10.0.0.0/24 -d 172.16.1.1/32
iptables -A INPUT -j ACCEPT -s 10.0.0.0/24 -d 10.10.10.1/32
#To deny unregistered range to talk to any registered ranges
iptables -A INPUT -j DROP -s 10.0.0.0/24 -d 172.16.1.0/24
iptables -A INPUT -j DROP -s 10.0.0.0/24 -d 10.10.10.0/24
#To deny registered traffic by default (stop static ip)
iptables -A INPUT -j DROP -s 10.10.10.0/24
iptables -A INPUT -j DROP -s 172.16.1.0/24
I have (just for testing purposes) the 172.16.1.0/24 range as a routed
pool and the other 2 as a natted pool. The 10.0.0.0/24 range is an
unregistered client range that is only masq'd for communication on DHCP,
DNS, and port 80. I then force redirect on port 80 to port 3128 and
using squid/squidGuard force through the local webserver in which they
will be required to register. Then the registration process updates and
moves them to a registered pool. Its all tested out by hand and works
exactly how I need it.
--
Regards,
Shawn Holland
On Tue, 2008-05-13 at 16:36 +0200, jdd sur free wrote:
Carlos E. R. wrote:
- If the PC has the proper MAC, the dhcp gives the correct IP.
- If the user sets another MAC, the switch denies entry.
in wireless (and it's enough some part of the net is wireless) you can do:
listen the net. every wireless device *have* to announce it's mac. The
other also, to have a dhcp answering...
wait for this station to stop (evening or week end)
connect wireless with *this* mac... you are in
of course this don't take account of passwd. wep passwd can be
(automatically) found by minutes. wap as said to be secure...
jdd
--
Jean-Daniel Dodin
Président du CULTe
www.culte.org
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
| < Previous | Next > |