Re: iptables and dhcp configuration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2012/08/08 22:05, Jatin K wrote:

On 08/08/2012 05:22 PM, Tim wrote:

On Wed, 2012-08-08 at 15:26 +0530, Jatin K wrote:

is there any way or method available to configure iptables to allow only
dhcp server assigned ip , means if user manually sets his/her systems ip
address then Linux gateway(FC16) should reject it .
user must use the ip address which is assigned by dhcp, ( dhcp server is
running on the same machine where iptables are installed, and machine is
acting as a gateway )

You could script something so that a computer added to the DHCP pool
gets added to the iptables rules, but can you actually achieve what you
want?

Are you simply blocking the client's access to the DHCP server (gateway
on it)?  That's easy enough to block via an IP rule.

Are you trying to block the client to anything, in which case your
gateway must actually be *between* the client and other things (merely
being on the same network isn't enough).  Otherwise, the gateway can
simply be bypassed.

And if a user manually assigns themselves the same IP, coincidentally,
should it be allowed or blocked?  Do you just care about the address, or
do you need a DHCP client acknowledge?

It sounds more like you need some sort of authentication system, rather
than just IP assignment.


I want something call captive portal like functions but dont want to use the
available ready to use software/solutions like[1], I want to build my own on fc
16 , to get the technical idea how it works and how it can be customized.

[1] http://en.wikipedia.org/wiki/Captive_portal


The MAC address is going to be your important feature for routing. MAC
address spoofing is an issue. But it's not a deadly issue related to say
corporate security.

For iptables --mac-source is your magic. You'd have a login process to
which all packets are sent until the MAC address is enabled with an
iptables command using --mac-source. There'd be a login web page that
would send the appropriate iptables exception command and later on after
the signup period ends remove the iptables exception. This expiration
could take place using a cron command.

Now, go read up on iptables to figure out the steps you need and the
exact commands, code it up, and play.

{^_^}
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux