Solved

How to only permit specifical Hardware address to access internet?

Posted on 2001-08-27
7
219 Views
Last Modified: 2013-12-15
I am comming back again :)

  Still on my lovely Linux box, I want to only specifical MAC address (Ethernet address) can access our internet service, All others can't. How can I?
  And BTW, all intranet PC is use DHCP server in our Group, and I can't change this configuration. So IP/MAC correspond is unusefull here. And I do not want to change the linux kernel, Is here any tools just like "arp" Can perform this.
0
Comment
Question by:auther_bin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 6428298
I can't think of any easy way to restrict access based on MAC address. If there are only a few nodes that should have access, you might be able to talk the network administrators into giving those nodes a reserved DHCP address. That would cause those nodes to always have the same IP and that you can filter on.
0
 
LVL 1

Author Comment

by:auther_bin
ID: 6428886
Is here any usefull tools can do this, Like something can prevent arp snoof.
0
 
LVL 1

Expert Comment

by:940961sl
ID: 6435549
listening...
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 40

Expert Comment

by:jlevie
ID: 6440433
Okay, presumably you have some number of folks that should be able to access the Internet and the rest should not. While there isn't a decent way to restrict Internet access based on MAC addr, you can still accomplish your goal.

First you'll need to configure the DHCP server to give out reserved IP's (static reservation) to those machines used by the 'Internet users'. That way they will always get the same IP and those IP's will never be assigned to other systems by the DHCP server. Then you need to tell the gateway router or firewall, as appropriate, to permit traffic to/from those IP's and to deny Internet traffic to all others. Now that won't keep someone from manually grabbing one of the reserved IP's if the corresponding system is down, but if you are really worried about that you can use arpwatch to look for that happening. It'll tell you the MAC of the offending system and you can go jerk a knot in the offender's neck. And if you really want to get fancy you could write a perl script that would dynamically modify the router or firewall rules if such an event happened.
0
 
LVL 1

Expert Comment

by:Zook
ID: 6479462
If "Internet" means "http" (www) only, then you can just force your users to go via a "squid" proxy. Squid then can do a password authentification via the browser of the user.

This works well in our company and you don't have to worry about MACS, IPs or users changing Computers.

In a Windows network you can even use the windows password/account for authentification with smb_auth.

cu
Zook
0
 
LVL 5

Accepted Solution

by:
BlackDiamond earned 100 total points
ID: 6483733
If you're running a 2.4 kernel, you can use iptables and set up a rule base like:

iptables -A INPUT -p tcp --dport 80 -m mac --mac-source 00:11:22:33:44:55 -j ACCEPT
iptables -A input -p tcp --dport 80 -j DROP


This will only allow packets coming from source mac 00:11:22:33:44:55 to connect to port 80 on that machine.  Keep in mind that the mac address only applies to the local broadcast domain, so if you allow the mac address of a router (for example), then anything that is connected through that router will have access to the site (since all packets from the router will have the same mac address).
0
 
LVL 1

Author Comment

by:auther_bin
ID: 6491499
I know about this but hereis someother tools to work togeter.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
LINUX backups with VEEAM 8 158
SonarQube on Linux vs Windows 3 78
Using Linux to replace Windows Server 2008 R2 for network drives 5 132
PHP error function not working on AWS 10 128
Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question