Internet access for dhcp clients

[nivis]

Hi

I'm running a small home network with a gentoo box as a firewall (shorewall).
I've just emerged dhcp so I can connect all my local stations through dhcp.

My question is how I can restrict internet access only for dhcp clients?
As it is right now, I can enter a static internal ip adress on any local stations and still
have internet access.

Any ideas??

/Nivis

[Mroofka]

if dhcp is working and clients gets adresses you can configure "static dhcp" it meens that you have to get all mac's from your clients configure dhcp to asign ip's to mac's and after it only them will have access to dhcp. Moreover you can make /etc/ethers (or something similar) with:

192.168.1.1 valid mac
ip valid mac
ip valid mac

for people who shoud have internet and for ather ip from you network
ip 00:00:00:00:00:00

nad then
arp -f /etc/ethers

In this way you block all addreses except thouse who should have access

I hope this is clear enough to understand

Pozdrawiam

[nivis]

Yeah I understand

But in this way I must know all my clients mac adresses.
I want a more dynamic solution that every computer that
recieves an ip address from my dhcp server automaticly
get's internet access.

/Nivis

[Mroofka]

If you don't assigne ip's to mac's you don't have any control on this who is connecting to your network. No matter if you use dhcp or static ip's.

If you use dhpc any box with dchp client (default in windows after pluggin the netcard) will have access so the problem is even biggier than with static ip's.

I'm very ciorious why and what for block those who have static ip's if anyone can use dhcp to get access and you still don't have any control ??

I don't know the solution for your problem , maby somone else will .

Pozdrawiam

[Kaddy]

you'd have to do the MAC filter thing for dhcp, it isn't that hard, you cna basically do it like this.

Code: Select all

group {
  host hostname1 { hardware ethernet <mac goes here>; }
  host hostname2 { hardware ethernet <mac goes here>; }
}

then do something like this in your dhcpd.conf file and add something like this:

Code: Select all

  pool {
    max-lease-time 28800;
    range 10.0.0.5 10.0.0.15;
    deny unknown-clients;
  }

[Headrush]

Mroofka and Kaddy are right.

If you don't use the MAC filtering, the constraints you are trying to create can easily be bypassed/"forged".

[think4urs11]

My question is how I can restrict internet access only for dhcp clients?
As it is right now, I can enter a static internal ip adress on any local stations and still
have internet access.

dump(?) idea:
Create a script on server side which reads the dhcp lease file to check which leases are 'given out' at the moment.
Based on that create a whitelist for iptables - all others will be dropped.
Put this into cron to rune once per minute.
With that only active leases are allowed to connect 'outwards'.
You shouldn't forget though to leave open bootp/dhcp open to all (otherwise it would be a bit tricky to get a dhcp lease ); same with other services on your server which are not 'only dhcp clients should be able to'.

*edit* fixed typos

[Kaddy]

the other thing that you could do, seeing as that the dhcpd.conf idea is only HALF of what you'd have to do, I just realised that, you'd have to do something with iptables as well to deny IPs that are static on the client.

Code: Select all

# iptables -P INPUT DROP  <-- default action to drop on INPUT
# iptables -A INPUT -i eth0 -j ACCEPT  <-- accept incoming connections from internet (assuming that you are NATing)
# iptables -A INPUT -i eth1 -m mac --mac-source <valid mac goes here> -j ACCEPT

granted, you'll have to do that every time that you are adding a new machine.

I am doing this at home, so, I simplified it an made a little thing that you just have to enter the MAC address for

Code: Select all

#!/bin/bash
# MAC Address Filter

echo -e "Enter Client MAC Address: \c"
read MAC

iptables -A INPUT -i eth0 -m mac --mac-source $MAC -j ACCEPT

it just basically adds the clent MAC that you add