Re: [opensuse] How to enforce IP's regardless of the clients setup.

Yes you can switch your MAC and IP and gain access the same as what that
MAC and IP were using before. But I can't think of any outside solutions
(non-local to the computer changing the MAC / IP) that could enforce
restrictions. Basically your the same device as what was just using
those MAC / IP.

On topic again. I have successfully created a set of iptables rules that
enforce IP's to MAC's. (only to the pool level) And I already have a
mechanism that automates the process to my requirements.

If anyone is interested:

in /etc/sysconfig/scripts/SuSEfirewall2-custom

inside fw_custom_before_masq()

#To allow specific access to a mac and ensure it is on a specific
network (stop static ip)
iptables -A INPUT -j ACCEPT -s 10.10.10.0/24 -m mac --mac-source
00:17:42:8E:F4:32

#To allow unregistered range to talk to all services on the server
iptables -A INPUT -j ACCEPT -s 10.0.0.0/24 -d 172.16.1.1/32
iptables -A INPUT -j ACCEPT -s 10.0.0.0/24 -d 10.10.10.1/32

#To deny unregistered range to talk to any registered ranges
iptables -A INPUT -j DROP -s 10.0.0.0/24 -d 172.16.1.0/24
iptables -A INPUT -j DROP -s 10.0.0.0/24 -d 10.10.10.0/24

#To deny registered traffic by default (stop static ip)
iptables -A INPUT -j DROP -s 10.10.10.0/24
iptables -A INPUT -j DROP -s 172.16.1.0/24


I have (just for testing purposes) the 172.16.1.0/24 range as a routed
pool and the other 2 as a natted pool. The 10.0.0.0/24 range is an
unregistered client range that is only masq'd for communication on DHCP,
DNS, and port 80. I then force redirect on port 80 to port 3128 and
using squid/squidGuard force through the local webserver in which they
will be required to register. Then the registration process updates and
moves them to a registered pool. Its all tested out by hand and works
exactly how I need it.

--
Regards,
Shawn Holland

On Tue, 2008-05-13 at 16:36 +0200, jdd sur free wrote:
Carlos E. R. wrote:

- If the PC has the proper MAC, the dhcp gives the correct IP.
- If the user sets another MAC, the switch denies entry.

in wireless (and it's enough some part of the net is wireless) you can do:

listen the net. every wireless device *have* to announce it's mac. The
other also, to have a dhcp answering...

wait for this station to stop (evening or week end)

connect wireless with *this* mac... you are in

of course this don't take account of passwd. wep passwd can be
(automatically) found by minutes. wap as said to be secure...

jdd

--
Jean-Daniel Dodin
Président du CULTe
www.culte.org

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

Relevant Pages