Author |
Message |
|
Post subject: IP vs MAC filtering
Posted: 20.06.2004 - 21:51 #9760
|
|
Guru
Joined: Jan 30, 2003
Posts: 1572
|
|
Chcem sa opytat, ci niekto z vas nepouziva, teda ci nemoze zverejnit nejaky script, v ktorom by sa porovnala IP s MAC adresou sietovej karty, a v pripade, ze MAC adresa nesedi s IP, boli by tieto packety zahodene.
Inymi slovami, aby ked si user s IP x.x.x.x a MAC x-x-x-x-x-x navoli susedovu IP x.x.x.y, aby packety z IP x.x.x.y masina zahodila, pretoze x.x.x.y nepasuje s MAC x.x.x.x.x.x |
|
|
|
|
|
|
Post subject: RE: IP vs MAC filtering
Posted: 20.06.2004 - 22:29 #9761
|
|
Majster
Joined: Okt 22, 2003
Posts: 3321
Location: Banská Bystrica - Rudlová
|
|
Ked pracujes s IP tables sprav pravidlo na IP a zaroven aj na MAC. |
|
|
|
|
|
|
Post subject: RE: IP vs MAC filtering
Posted: 20.06.2004 - 22:54 #9763
|
|
Guru
Joined: Jan 30, 2003
Posts: 1572
|
|
mozes prosim zverejnit nejaky ukazkovy script? aj s nejakym popisom? dik |
|
|
|
|
|
|
Post subject: RE: IP vs MAC filtering
Posted: 21.06.2004 - 00:21 #9764
|
|
Majster
Joined: Okt 22, 2003
Posts: 3321
Location: Banská Bystrica - Rudlová
|
|
iptables -A INPUT -i eth1 -s 192.168.100.100 -m mac --mac-source 00-00-00-00-00-00 -p tcp --dport 135:139 -j DROP
Vo Vetve Input je zakazane pouzivanie komunikacie cez porty 135 az 139, pre ip-adresu 192.168.100.100 a zaroven MAC adresu 00-00-00-00-00-00. respektive to sprav tak ze setko zakazes a povolis konkretne na to co chces. |
|
|
|
|
|
|
Post subject: RE: IP vs MAC filtering
Posted: 21.06.2004 - 08:58 #9766
|
|
Majster
Joined: Jan 12, 2003
Posts: 4250
Location: /dev/null
|
|
1. defaultny ACCEPT, potrebujem ale osetrit aby si ludia len tak nemenili IP:
/usr/sbin/iptables -A FORWARD -s 1.2.3.4 -m mac --mac-source ! 01:23:45:67:89:AB -j DROP
(INPUT ma netrapi, pingat stroj a ine voloviny skusat mozu (pokial nie su inac osetrene), ale ich packety nebudu poslane dalej...)
toto je u mna standardne pravidlo na vnutornych routroch siete
2. defaultny DROP:
/usr/sbin/iptables -A FORWARD -s 1.2.3.4 -m mac --mac-source 01:23:45:67:89:AB -j ACCEPT
/usr/sbin/iptables -A FORWARD -d 1.2.3.4 -j ACCEPT
(INPUT ma opat netrapi z dovodov uvedenych vyssie, nezabudni ze musis mat nastavene /usr/sbin/iptables -P FORWARD DROP)
toto je pravidlo pouzivane na vystupnom routri zo siete pre IP ktore su priamo na segmentoch incidujucich s routrom.
(pre vsetky ostatne adresy su pravidla o nieco kratsie:
/usr/sbin/iptables -A FORWARD -s 1.2.3.4 -j ACCEPT
/usr/sbin/iptables -A FORWARD -d 1.2.3.4 -j ACCEPT )
Nezabudni, ze MAC musis kontrolovat _vzdy_ na najblizsom nadradenom routri k zakaznikovi !!! |
|
|
|
|
|
|
Post subject: RE: IP vs MAC filtering
Posted: 21.06.2004 - 09:58 #9767
|
|
Ucen
Joined: Nov 04, 2003
Posts: 544
|
|
to kockac: nemohol by si nieco podobne napisat ako sa to robi pod FreeBSD ? .. ipf ani ipfw nevie robit s mac adresami... ide to iba s arp zaznamami,,ale nechapem zapisu do arp... hlavne ked mam DHCP ,ktore arp tabulky prepisuje.. |
|
|
|
|
|
|
Post subject: RE: IP vs MAC filtering
Posted: 21.06.2004 - 11:52 #9770
|
|
Basic
Joined: Feb 23, 2003
Posts: 423
Location: Bratislava, Dubravka
|
|
goose: ipfw to zvlada, len musis dat navyse "options IPFW2" do konfiguraku jadra a "IPFW2=TRUE" do /etc/make.conf a prekopat jadro, ipfw a (tusim) libalias... ak chces mat istotu, tak world.
Pravidla sa potom zapisuju ako napr.
allow ip from zdrojva_ip to cielova_ip mac cielova_mac zdrojova_mac
(MAC je budto any alebo v klasickom formate 01:23:45:67:89:ab)
Nie som si ale isty, ci to naozaj funguje, pretoze to nepouzivam. Bohuzial ipf ani pf (vo FreeBSD 5) filtrovanie podla MAC nepodporuju. Co sa tyka arpu, syntax je "arp -S IP MAC", co Ti natvrdo zanesie do ARP tabulky zaznam pre danu IP, potom stroje s rovnakou IP a inou MAC nebudu moct prijimat pakety zvonka. S DHCP som to neskusal.
Detaily v ipfw(8), resp. arp(8). |
|
|
|
|
|
|
Post subject: RE: IP vs MAC filtering
Posted: 23.06.2004 - 14:02 #9818
|
|
Basic
Joined: Feb 18, 2003
Posts: 252
Location: Zvolen
|
|
a zase...
no ja som mal doteraz taky dojem, ze v "cistom" iptables sa nieco take ako kontrola IP a MAC v jednom riadku neda urobit a ze je potrebne pouzit nieco z patch-o-matic modulov...
v ziadnom how-to, tutorials alebo v man strankach som totizto taku syntax (teda moznost takehoto zapisu, ako uviedol 'si') nevidel... |
|
|
|
|
|
|
Post subject: RE: IP vs MAC filtering
Posted: 23.06.2004 - 15:37 #9821
|
|
Majster
Joined: Jan 12, 2003
Posts: 4250
Location: /dev/null
|
|
face: no neviem, ale som teraz este preistotu pozrel, je o tom zmienka aj v "man iptables"
[MATCH EXTENSIONS ... ( -m)
...
mac
--mac-source [!] address
Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. Note that this only makes sense
for packets coming from an Ethernet device and entering the PREROUTING, FORWARD or INPUT chains.]
co viac mozes chciet ? (a nie je to zalezitosotou novych iptables, pouzivam to uz hoooodne dlho ) |
|
|
|
|
|
|
Post subject: RE: IP vs MAC filtering
Posted: 23.06.2004 - 17:06 #9825
|
|
Basic
Joined: Feb 18, 2003
Posts: 252
Location: Zvolen
|
|
2si: teraz mi je to uz jaszne...
len som si to vysvetloval tak, ze v jednom riadku moze byt iba jeden match [-s IP| -d IP | -m MAC]... |
|
|
|
|
|
|
Post subject: RE: IP vs MAC filtering
Posted: 23.06.2004 - 17:22 #9826
|
|
Majster
Joined: Jan 12, 2003
Posts: 4250
Location: /dev/null
|
|
face: sak to mas vzdy viacero, akurat ze ked nezadas -s alebo -d tak sa ti tam doplni 0/0 (teda any)
a obdobne to mas ked specifikujes neaky port a tam mas tiez hned 2 veci - musis specifikovat protokol (tcp, udp) a cislo portu |
|
|
|
|
|
|
Post subject: RE: IP vs MAC filtering
Posted: 23.06.2004 - 17:39 #9830
|
|
Basic
Joined: Feb 18, 2003
Posts: 252
Location: Zvolen
|
|
sak wet, o5 zomriem mudrejsi... |
|
|
|
|
|
|
Post subject: RE: IP vs MAC filtering
Posted: 28.09.2004 - 01:28 #11992
|
|
Guru
Joined: Jan 30, 2003
Posts: 1572
|
|
takze zase som raz mal trosku casu, tak som sa pustil s pouzitim informacii ktore som tu dostal, do vyrabania nejakeho automatickeho skriptu a tu je vysledok
tento skriptik nacitava hodnoty z /etc/dhcpd.conf
kde su v tomto formate
host janko { hardware ethernet 00:06:4f:05:68:3d; fixed-address 10.203.6.42; }
a nasledne vytvori 3 horespominane pravidla pre kazdeho usera
#!/bin/bash
# IP vs MAC filter
# v. 1.0 kiwi
DHCPLIST="`grep fixed-address /etc/dhcpd.conf|awk -F\ '{print $6 $8}'`";
for ONEROW in $DHCPLIST; do
MAC="`echo $ONEROW | cut -f1 -d\;`";
IP="`echo $ONEROW | cut -f2 -d\;`";
/sbin/iptables -A FORWARD -s $IP -m mac --mac-source ! $MAC -j DROP
/sbin/iptables -A FORWARD -s $IP -m mac --mac-source $MAC -j ACCEPT
/sbin/iptables -A FORWARD -d $IP -j ACCEPT
done
mam ale problem, ze ked na je viacero MAC pridelena jedna IP (chlapik ma aj PC aj notebook, a chce aby mu isiel raz jeden raz druhy po zapojeni) tak nefunguje ani jedna, pretoze prienik podmienok je nulovy, ako by ste to riesili?
dalsia vec je, ze toto funguje ak je router koncovy, tzn. ma iba dva iface, jeden uplink a jeden do panelaku
ale v pripade ze by tam bola este jedna karta, na ktorej by bolo AP, tak vsetci za tymto AP by boli pochopitelne blokovani, nejako sa mi mari, ze by som musel ich IPs povolit v suvislosti s MAC adresou routra, pod ktorym su, alebo sa mylim? |
|
|
|
|
|
|
Post subject: RE: IP vs MAC filtering
Posted: 28.09.2004 - 08:01 #11994
|
|
Basic
Joined: Feb 18, 2003
Posts: 252
Location: Zvolen
|
|
kiwi: 'si' pisal v prispevku z 12.1.2003, ze citujem: ' Nezabudni, ze MAC musis kontrolovat _vzdy_ na najblizsom nadradenom routri k zakaznikovi !!! '
na 'vyssom' routri samozrejme bude v paketoch MAC toho routra, ktory ma pod sebou klientov... aspon tak som to zaznamenal v iptraf-e... |
|
|
|
|
|
|
Post subject: RE: IP vs MAC filtering
Posted: 28.09.2004 - 09:08 #11995
|
|
Guru
Joined: Jan 30, 2003
Posts: 1572
|
|
hej, aj ja som si to vsimol, ale chcel som sa uistit
teraz by ma zaujimalo prakticke riesenie ako to urobit aby tie packety neboli dropovane |
|
|
|
|
|
|