PDA

Bekijk de volledige versie : Rejecting pc with non automatic ip settings?



Spot
10-05-2005, 10:52
I want to share internet connection with others (through wi-fi) using my wl-500g (in home gateway mode, fw 1.9.2.7-5).

Here are my settings:

1. Access control using mac address.
2. IP manual assignement using mac address.
3. Bandwidth download policy by IP.

This is correctly working.

But It's not secure!
Because someone with authorized mac adress can connect through WLan by forcing ip manually on his side (pc)... and than, he can avoid bandwidth restriction!

Is'nt there a more secure solution?

Thanks in advance!

phedny
10-05-2005, 12:53
You can manually manipulate the firewall configuration using iptables command. You can add to the MAC-address check, that the IP-address must also match, so this way nobody with MAC and IP that don't belong together can access the internet.

Spot
10-05-2005, 13:24
You can manually manipulate the firewall configuration using iptables command. You can add to the MAC-address check, that the IP-address must also match, so this way nobody with MAC and IP that don't belong together can access the internet.

Ok...
Not sure I have enough skill, but I'll try! :rolleyes:

Thanks!

Spot
10-05-2005, 15:20
You can manually manipulate the firewall configuration using iptables command. You can add to the MAC-address check, that the IP-address must also match, so this way nobody with MAC and IP that don't belong together can access the internet.

Well... I'm studying iptables for sure...


--mac-source [!] address
Match source MAC address.
It must be of the form XX:XX:XX:XX:XX:XX.
Note that this only makes sense for packets entering the PREROUTING,
FORWARD or INPUT chains for packets coming from an ethernet device.

Am I in the right direction? :D


But my best goal is to refuse/reject wi-fi connection of pc that doesn't match the authorized MAC/IP pair.

Is'nt it possible?

barsju
10-05-2005, 15:35
Well to give you a flying start, you can take a look at this script that I use:


#!/bin/sh
mac=""
for ip in `cat /usr/local/etc/ethers`
do
if [ `expr substr $ip 1 7` = "192.168" ] ; then
#echo $ip
iptables -A FORWARD -s $ip -m mac --mac-source $mac -j ACCEPT
else
mac=$ip
fi
done
iptables -A FORWARD -j DROP


What it does is that it loops through you ethers file and accepts all ip/mac pairs that it finds. All others are dropped (last line).

S.

Hope it helps.
PS: You are still vulnerable to MAC-spoofing..

phedny
10-05-2005, 16:39
PS: You are still vulnerable to MAC-spoofing..But with WL-500g that can not be solved I guess.

Although I'm just thinking... maybe it is possible (on Deluxe version) to put each port in seperate VLAN. Then some way accept EAPoL packets and process them and as soon as a system is authenticated move the port to the "open" VLAN, or add the port into a bridge. However, how can we know when to disable the port again?

Spot
10-05-2005, 23:28
What it does is that it loops through you ethers file and accepts all ip/mac pairs that it finds. All others are dropped (last line).

S.

Hope it helps.
PS: You are still vulnerable to MAC-spoofing..

Working perfectly!

I've just putted your lines in my post-firewall script with just a little modification:

replace /usr/local/etc/ethers by /etc/ethers
:D
So, it helps a lot... Big big thanks!

Just want to know if mac-spoofing is enabled because of the script or already exist without script?

barsju
11-05-2005, 07:42
Mac-spoofing just means that you change the MAC address on your NIC (network card) to one that is accepted by the router. Thus you will get a valid IP and access to network. Only way to detect this is if both PC's are on and the MAC's "crash". But with your main concern being BW-managment, your problem is heirby solved. Just don't think that MAC-filtering provides any security, for that you need encryption.

S.

Spot
11-05-2005, 08:50
Understood...

Last questions:
- According to my config (macc adress acces control on wlan side), does mac-spoofing can be done from wlan side only?
- if yes, does WPA2/AES authentification (the one that I use) prevent efficiently from this risk?

barsju
11-05-2005, 09:01
1. No. But to spoof on LAN you need to plug a cable into the router it self, and the risk is therfore usually not the same.
2. Yes. WPA/AES=safe WLAN. You still need to keep people away from the router(LAN).

S.
PS: If anyone can access your router physically they can always just use the reset button and reset to factory defaults, and therby control you router and network completely. There is only one solution for this: lock it up! :)

Spot
11-05-2005, 09:17
PS: If anyone can access your router physically they can always just use the reset button and reset to factory defaults, and therby control you router and network completely. There is only one solution for this: lock it up! :)

Gonna buy a mouse trap! :D

Thanks barsju... your infos are very apreciated.