Network Security: I.P. Address With Corresponding Mac Address

Network Security: I.P. Address With Corresponding Mac Address

Post by B.T » Sun, 08 Aug 1999 04:00:00



Hi.

I have a home LAN that will soon have ADSL access.  I am trying to
give only some of the users on my LAN Internet access while
prohibiting others from doing so.  One method I thought of is matching
IP addresses to corresponding mac addresses.  That is, my Linux server
will check to make sure that a certain computer that has been assigned
a certain IP address will have a certain mac address before access is
given.  I haven't been able to locate such an option in the I.P.
Masquerading software or the IPChains software.  I do not want to
modify the C++ source code to do so unless it is absolutely necessary.

Any other suggestions is welcomed.

B.T.

 
 
 

Network Security: I.P. Address With Corresponding Mac Address

Post by Juergen Pabe » Sun, 08 Aug 1999 04:00:00


check my reply to your earlier posting...

if you setup your network wisely you can build two subnets within your
private net and restrict the access to one of those subnets...
jp


> Hi.

> I have a home LAN that will soon have ADSL access.  I am trying to
> give only some of the users on my LAN Internet access while
> prohibiting others from doing so.  One method I thought of is matching
> IP addresses to corresponding mac addresses.  That is, my Linux server
> will check to make sure that a certain computer that has been assigned
> a certain IP address will have a certain mac address before access is
> given.  I haven't been able to locate such an option in the I.P.
> Masquerading software or the IPChains software.  I do not want to
> modify the C++ source code to do so unless it is absolutely necessary.

> Any other suggestions is welcomed.

> B.T.


 
 
 

Network Security: I.P. Address With Corresponding Mac Address

Post by Juergen Pabe » Sun, 08 Aug 1999 04:00:00


in case i wasn't clear enough:

use dhcpd.conf to set up two ranges: one with machines that are granted
access to the internet and one range with the non-internet machines.
set up your subnet as 192.168.0.0/16
then use 192.168.1.x for internet machines and 192.168.2.x for non
internet machines

then specify in ipchains:  -s 192.168.1.0/24

jp


> check my reply to your earlier posting...

> if you setup your network wisely you can build two subnets within your
> private net and restrict the access to one of those subnets...
> jp


> > Hi.

> > I have a home LAN that will soon have ADSL access.  I am trying to
> > give only some of the users on my LAN Internet access while
> > prohibiting others from doing so.  One method I thought of is matching
> > IP addresses to corresponding mac addresses.  That is, my Linux server
> > will check to make sure that a certain computer that has been assigned
> > a certain IP address will have a certain mac address before access is
> > given.  I haven't been able to locate such an option in the I.P.
> > Masquerading software or the IPChains software.  I do not want to
> > modify the C++ source code to do so unless it is absolutely necessary.

> > Any other suggestions is welcomed.

> > B.T.

 
 
 

Network Security: I.P. Address With Corresponding Mac Address

Post by Brad » Sun, 08 Aug 1999 04:00:00


you can specify to ipchains a certain rule that it will only masq packets
from specific hosts. or you could do the whole subnet and then add deny
rules for each host you don't want to have access.

Brady

Quote:> Hi.

> I have a home LAN that will soon have ADSL access.  I am trying to
> give only some of the users on my LAN Internet access while
> prohibiting others from doing so.  One method I thought of is matching
> IP addresses to corresponding mac addresses.  That is, my Linux server
> will check to make sure that a certain computer that has been assigned
> a certain IP address will have a certain mac address before access is
> given.  I haven't been able to locate such an option in the I.P.
> Masquerading software or the IPChains software.  I do not want to
> modify the C++ source code to do so unless it is absolutely necessary.

> Any other suggestions is welcomed.

> B.T.

 
 
 

Network Security: I.P. Address With Corresponding Mac Address

Post by B.T » Mon, 09 Aug 1999 04:00:00


Thanks.  That was what I was looking for.

B.T.

On Sat, 07 Aug 1999 17:40:09 -0400, Juergen Pabel


>in case i wasn't clear enough:

>use dhcpd.conf to set up two ranges: one with machines that are granted
>access to the internet and one range with the non-internet machines.
>set up your subnet as 192.168.0.0/16
>then use 192.168.1.x for internet machines and 192.168.2.x for non
>internet machines

>then specify in ipchains:  -s 192.168.1.0/24

>jp

 
 
 

Network Security: I.P. Address With Corresponding Mac Address

Post by Question Exchange, Inc » Mon, 09 Aug 1999 04:00:00


The easiest method is to assign ip addresses (can be done with DHCP, in /etc/dhcpd.conf,  at the end

 host Celery {
  hardware ethernet 00:10:4B:65:1C:3A;
  fixed-address Celery.House;
 }

Use named normally, i think manual assigns work)

Then using ipchains,

ipchains -P forward DENY
ipchains -F forward
ipchains -A forward -s Celery.House -j MASQ

Doing this for each one would allow internet access to Celery.House, and you can repeat the last line accordingly, it would then deny gateway access to any other computers on the network (and internet) but allow intranet access to it for other services (such as DHCP and DNS).

Unfortunately, ipchains has not created a method to lookup MAC addresses, but honestly, assigning named addresses is usually easier.

Finally, if you can refer to a computer for lookup by name (your DNS is dynamic) you can ipchain by name so you dont have to deal with DHCP at all.  So for simplicity, if Bob.Network ALWAYS points to Bobs computer (or even just BOB) then your ipchains can use '-d BOB -j MASQ' and the lookup will be automatic.

Hope it helps!

  This answer is courtesy of QuestionExchange.com

  For other answers and comments visit:

  http://www.questionexchange.com/servlet1/showUsenetGuest?ans_id=2219&...

 
 
 

1. WANTED: pingmac <IP ADDR> which returns <MAC ADDRESS of IP ADDRESS>

Hello!

I know this can be done by way of ping/arp at the solaris command line
or via a script, OR via system() calls.  Does anyone know of someone's
efforts to whip this up in an actual executable?  The goal of the
program is to work like this:


PINGMAC 137.204.192.19 (dilbert): MAC ADDRESS of dilbert is:
08:0e:10:02:12:1e


I know there are practical limitations like: MUST BE ON SAME SUBNET
and stuff like this.  BUT does anyone know of a pgm like this, or
might be able to point me somewhere that might?

Tx!

  -Scott

2. passing command line arguments to RPC server(again)

3. IP Masquerading with IP Address and Mac Address Restrictions

4. LS command doesn't work

5. Binding a single IP Address to two different MAC addresses

6. [v850] Add leading underline to new linker-script symbols on the v850

7. Determining IP address from MAC address

8. Installing Linux OS

9. MAC Address From IP Address

10. change MAC address can change IP address of a machine?

11. using mac address instead of an IP address of hostname

12. how to convert mac address to ip address

13. new IP address for the same MAC address