Rejecting pc with non automatic ip settings?

[Spot]

I want to share internet connection with others (through wi-fi) using my wl-500g (in home gateway mode, fw 1.9.2.7-5).

Here are my settings:

1. Access control using mac address.
2. IP manual assignement using mac address.
3. Bandwidth download policy by IP.

This is correctly working.

But It's not secure!
Because someone with authorized mac adress can connect through WLan by forcing ip manually on his side (pc)... and than, he can avoid bandwidth restriction!

Is'nt there a more secure solution?

Thanks in advance!

[phedny]

You can manually manipulate the firewall configuration using iptables command. You can add to the MAC-address check, that the IP-address must also match, so this way nobody with MAC and IP that don't belong together can access the internet.

[Spot]

You can manually manipulate the firewall configuration using iptables command. You can add to the MAC-address check, that the IP-address must also match, so this way nobody with MAC and IP that don't belong together can access the internet.

Ok...
Not sure I have enough skill, but I'll try!

Thanks!

[Spot]

You can manually manipulate the firewall configuration using iptables command. You can add to the MAC-address check, that the IP-address must also match, so this way nobody with MAC and IP that don't belong together can access the internet.

Well... I'm studying iptables for sure...

Code:

--mac-source [!] address 
Match source MAC address.
It must be of the form XX:XX:XX:XX:XX:XX.
Note that this only makes sense for packets entering the PREROUTING,
FORWARD or INPUT chains for packets coming from an ethernet device.

Am I in the right direction?


But my best goal is to refuse/reject wi-fi connection of pc that doesn't match the authorized MAC/IP pair.

Is'nt it possible?

[barsju]

Well to give you a flying start, you can take a look at this script that I use:

Code:

#!/bin/sh
mac=""  
for ip in `cat /usr/local/etc/ethers`  
do    
   if [ `expr substr $ip 1 7` = "192.168" ] ; then         
         #echo $ip
          iptables -A FORWARD -s $ip -m mac --mac-source $mac -j ACCEPT
   else
          mac=$ip
   fi
done  
iptables -A FORWARD -j DROP

What it does is that it loops through you ethers file and accepts all ip/mac pairs that it finds. All others are dropped (last line).

S.

Hope it helps.
PS: You are still vulnerable to MAC-spoofing..

[phedny]

PS: You are still vulnerable to MAC-spoofing..

But with WL-500g that can not be solved I guess.

Although I'm just thinking... maybe it is possible (on Deluxe version) to put each port in seperate VLAN. Then some way accept EAPoL packets and process them and as soon as a system is authenticated move the port to the "open" VLAN, or add the port into a bridge. However, how can we know when to disable the port again?

[Spot]

What it does is that it loops through you ethers file and accepts all ip/mac pairs that it finds. All others are dropped (last line).

S.

Hope it helps.
PS: You are still vulnerable to MAC-spoofing..

Working perfectly!

I've just putted your lines in my post-firewall script with just a little modification:

Code:

replace /usr/local/etc/ethers by /etc/ethers

So, it helps a lot... Big big thanks!

Just want to know if mac-spoofing is enabled because of the script or already exist without script?

[barsju]

Mac-spoofing just means that you change the MAC address on your NIC (network card) to one that is accepted by the router. Thus you will get a valid IP and access to network. Only way to detect this is if both PC's are on and the MAC's "crash". But with your main concern being BW-managment, your problem is heirby solved. Just don't think that MAC-filtering provides any security, for that you need encryption.

S.

[Spot]

Understood...

Last questions:
- According to my config (macc adress acces control on wlan side), does mac-spoofing can be done from wlan side only?
- if yes, does WPA2/AES authentification (the one that I use) prevent efficiently from this risk?

[barsju]

1. No. But to spoof on LAN you need to plug a cable into the router it self, and the risk is therfore usually not the same.
2. Yes. WPA/AES=safe WLAN. You still need to keep people away from the router(LAN).

S.
PS: If anyone can access your router physically they can always just use the reset button and reset to factory defaults, and therby control you router and network completely. There is only one solution for this: lock it up!

[Spot]

PS: If anyone can access your router physically they can always just use the reset button and reset to factory defaults, and therby control you router and network completely. There is only one solution for this: lock it up!

Gonna buy a mouse trap!

Thanks barsju... your infos are very apreciated.