Matching MAC addresses to IP numbers

[tsimi]

Hi,

I have a network behind a firewall using IP tables and Squid w/squidGuard. I have access tables that only let certain IP numbers outside access and a while list for what everyone else can do. The problem is, a couple a guys think they know something about windows and change the IP number temporarily to someones that has full access. We've notice this when that person get the error message that his IP number is already being used on the network.

I'm running Fedora 6, and what I would really like to do is be able to match the MAC address to an assiciated IP address from a table in a file before deciding what to do with the packet.

I know these guys have no idea about whats going on outside of the windows network interface.

Thanks
Todd

[framp]

Try iptables and drop ip addresses which don't use the right mac address.

[tsimi]

Hi framp,

That's exactly what I'd like to do. The problem is I don't know how to impliment that. Where do I put the information that associates an IP number to it's coresponding MAC address.

Also, how do I tell iptables to use this info and compare the two.

Thanks much

Todd

[framp]

It's an interesting problem. So I just did some quick tests. I tried

Code:

iptables -I INPUT -i nic0 -s 192.168.0.6 -m mac --mac-source 00:50:fc:a6:f1:06 -j DROP

The two conditions are ANDed, i.e. if the client has 192.168.0.6 AND mac 00:50:fc:a6:f1:06 the condition fires.

So you have to have for every ip/mac pair one ACCEPT rule and finally a DROP rule for everything else. That should work