Solved

How to only permit specifical Hardware address to access internet?

Posted on 2001-08-27
7
212 Views
Last Modified: 2013-12-15
I am comming back again :)

  Still on my lovely Linux box, I want to only specifical MAC address (Ethernet address) can access our internet service, All others can't. How can I?
  And BTW, all intranet PC is use DHCP server in our Group, and I can't change this configuration. So IP/MAC correspond is unusefull here. And I do not want to change the linux kernel, Is here any tools just like "arp" Can perform this.
0
Comment
Question by:auther_bin
7 Comments
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
I can't think of any easy way to restrict access based on MAC address. If there are only a few nodes that should have access, you might be able to talk the network administrators into giving those nodes a reserved DHCP address. That would cause those nodes to always have the same IP and that you can filter on.
0
 
LVL 1

Author Comment

by:auther_bin
Comment Utility
Is here any usefull tools can do this, Like something can prevent arp snoof.
0
 
LVL 1

Expert Comment

by:940961sl
Comment Utility
listening...
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 40

Expert Comment

by:jlevie
Comment Utility
Okay, presumably you have some number of folks that should be able to access the Internet and the rest should not. While there isn't a decent way to restrict Internet access based on MAC addr, you can still accomplish your goal.

First you'll need to configure the DHCP server to give out reserved IP's (static reservation) to those machines used by the 'Internet users'. That way they will always get the same IP and those IP's will never be assigned to other systems by the DHCP server. Then you need to tell the gateway router or firewall, as appropriate, to permit traffic to/from those IP's and to deny Internet traffic to all others. Now that won't keep someone from manually grabbing one of the reserved IP's if the corresponding system is down, but if you are really worried about that you can use arpwatch to look for that happening. It'll tell you the MAC of the offending system and you can go jerk a knot in the offender's neck. And if you really want to get fancy you could write a perl script that would dynamically modify the router or firewall rules if such an event happened.
0
 
LVL 1

Expert Comment

by:Zook
Comment Utility
If "Internet" means "http" (www) only, then you can just force your users to go via a "squid" proxy. Squid then can do a password authentification via the browser of the user.

This works well in our company and you don't have to worry about MACS, IPs or users changing Computers.

In a Windows network you can even use the windows password/account for authentification with smb_auth.

cu
Zook
0
 
LVL 5

Accepted Solution

by:
BlackDiamond earned 100 total points
Comment Utility
If you're running a 2.4 kernel, you can use iptables and set up a rule base like:

iptables -A INPUT -p tcp --dport 80 -m mac --mac-source 00:11:22:33:44:55 -j ACCEPT
iptables -A input -p tcp --dport 80 -j DROP


This will only allow packets coming from source mac 00:11:22:33:44:55 to connect to port 80 on that machine.  Keep in mind that the mac address only applies to the local broadcast domain, so if you allow the mac address of a router (for example), then anything that is connected through that router will have access to the site (since all packets from the router will have the same mac address).
0
 
LVL 1

Author Comment

by:auther_bin
Comment Utility
I know about this but hereis someother tools to work togeter.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

In this tutorial I will explain how to make squid prevent malwares in five easy steps: Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now