iptables and dhcp configuration
jdow
jdow at earthlink.net
Thu Aug 9 05:58:14 UTC 2012
On 2012/08/08 22:05, Jatin K wrote:
> On 08/08/2012 05:22 PM, Tim wrote:
>> On Wed, 2012-08-08 at 15:26 +0530, Jatin K wrote:
>>> is there any way or method available to configure iptables to allow only
>>> dhcp server assigned ip , means if user manually sets his/her systems ip
>>> address then Linux gateway(FC16) should reject it .
>>> user must use the ip address which is assigned by dhcp, ( dhcp server is
>>> running on the same machine where iptables are installed, and machine is
>>> acting as a gateway )
>> You could script something so that a computer added to the DHCP pool
>> gets added to the iptables rules, but can you actually achieve what you
>> want?
>>
>> Are you simply blocking the client's access to the DHCP server (gateway
>> on it)? That's easy enough to block via an IP rule.
>>
>> Are you trying to block the client to anything, in which case your
>> gateway must actually be *between* the client and other things (merely
>> being on the same network isn't enough). Otherwise, the gateway can
>> simply be bypassed.
>>
>> And if a user manually assigns themselves the same IP, coincidentally,
>> should it be allowed or blocked? Do you just care about the address, or
>> do you need a DHCP client acknowledge?
>>
>> It sounds more like you need some sort of authentication system, rather
>> than just IP assignment.
>>
> I want something call captive portal like functions but dont want to use the
> available ready to use software/solutions like[1], I want to build my own on fc
> 16 , to get the technical idea how it works and how it can be customized.
>
> [1] http://en.wikipedia.org/wiki/Captive_portal
The MAC address is going to be your important feature for routing. MAC
address spoofing is an issue. But it's not a deadly issue related to say
corporate security.
For iptables --mac-source is your magic. You'd have a login process to
which all packets are sent until the MAC address is enabled with an
iptables command using --mac-source. There'd be a login web page that
would send the appropriate iptables exception command and later on after
the signup period ends remove the iptables exception. This expiration
could take place using a cron command.
Now, go read up on iptables to figure out the steps you need and the
exact commands, code it up, and play.
{^_^}
More information about the users
mailing list