Find the answer to your Linux question:
Results 1 to 9 of 9
I am managing a small apartment complex T3 internet connection and we have a problem with computers that are highly infected with viruses and spyware. I can sniff the network ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2004
    Posts
    4

    DHCPD and iptables to deny MAC addresses


    I am managing a small apartment complex T3 internet connection and we have a problem with computers that are highly infected with viruses and spyware. I can sniff the network and see broadcasts accross the network from certain MAC addresses (always the same people). Right now, I have to manually unplug the appartment port from the system to get them off the network so their broadcasts dont drag down the system. I have a linux box I can setup for network control but am not routing traffic through the box. What I would like to do is be able to restrict those MAC addresses from having access to the network. Maybe through DHCPD by keeping the MAC address from getting an IP address or iptables (which i'm very unfamilar with). I know DHCPD can have fixed IPs assigned but this will not work out because of the frequent change overs in the appartment complex. It would be an administration nightmare to keep everyone on the net. So how would I setup DHCPD and/or iptables to keep the violating MAC addresses from having network access with having to manually pull the cable from the patch panel. This in itself is too time consuming. I just want to beable to add a MAC address to a "deny" list so they can't get a MAC address from the DHCP server. Also if I would put them on the deny list for an IP address from the DHCPD, how would I kick the computer off and remove the ip address they are able to use even though the lease hasnt expired. Thanks for any help!

    Dave

  2. #2
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    I would not recommend the dhcpd method - it's simply to unstable. First, as you almost said yourself, you can't remotely revoke an address lease. The protocol simply doesn't support that operation. Second, there's no guarantee at all that the users can't just configure a static IP themselves and bypass your dhcpd setup.
    iptables is in my mind clearly the right way to do this. Providing that you have the "mac" match compiled, just run this for every computer you wish to prohibit:
    Code:
    iptables -A FORWARD -m mac --mac-source XX:XX:XX:XX:XX:XX -j DROP
    However, in my mind, shouldn't you rather prohibit this specific kind of behavior instead of shutting down their access altogether. For example, not route any broadcast packets at all, but allowing everything else:
    Code:
    iptables -A FORWARD -d 255.255.255.255/32 -j DROP

  3. #3
    Linux User
    Join Date
    Jan 2003
    Location
    Cardiff, Wales
    Posts
    478

    firestarter

    First of all. I would use firestarter to set up the initial iptables. then edit them later. if they are running windows boxes and they are infected with blaster style worms then a simple linux firewall should protect them. I run one at home and my win box never got infected. I just use the standard share this connection wizard from firestarter. Did have to enable IP forwarding in a config file somewhere though.

    I believe that it is possible to provide a bandwidth throttling facilkity as well. It might also be worth setting up some kind of log report so that users become aware of the problems their PC is causing. Since one PC on that kind of internet connection could re-infect thousands of other Win users.
    No trees were harmed during the creation of this message. Its made from a blend of elephant tusk and dolphin meat.

  4. #4
    Just Joined!
    Join Date
    Jan 2004
    Posts
    4
    Well first of all, the students are notified of the problem with their computer. I am not really worried about them staticly defining ip addresses to get on the network because the people causing the problem are mostly computer illiterate. If I do iptables, that means I have to pass the traffic through the linux box correct? Well I can do that but isnt that just going to stop them from accessing the internet when I drop the packets? They will still be broadcasting to the internal network. This is our system setup, we have a pix firewall on the system and a few cisco switches connected to that and then a lot of dumb switches that connect off the ciscos that finally are connected to the ports in the appartment. We actually only have 374 nodes. If I had my way, I would have cisco managed switches to replace all the dumb switches so I could just shut them down at the single port that goes to their appartment with the interface controls cisco has. Should I make the linux box route the traffic and just disable the use of NAT on the pix firewall? I'm just new to linux and I know people tell me I can have a lot of control over the network with linux, its just I dont know how I can place it into the system to restrict these computers from having the network access. We don't have the budget to uppgrade all the dumb switches to cisco right at this time. Like I said, it doesnt have to be highly secure because these students have no idea they are causing a problem and are not trying to sneak it past us. I just need a way to knock them off if they dont listen to our warning that their computer is causing a problem.

  5. #5
    Linux User
    Join Date
    Jan 2003
    Location
    Cardiff, Wales
    Posts
    478

    in a word yes

    I would replace the firewall with the Linux box and configure it as discussed to be the firewall router and it will do the NAT for you. This won't stop internal broadcasts but then other than "physically removing the cable" or "having the inteligent switch ignore the port" nothing will.

    Basically they will need to go through your linux box to access any internet stuff. denying their MAC will prevent them from doing this. But it will not control internal broadcasts.

    Linux does give you a fair amount of network control. But you are talking about changing the way the clients work. even if you could control their communications on the internal network. the broadcasts will still be sent as far as the first router or switch.

    The main type of control/power people talk about is the open source part. If you don't like the way dhcpd works then you can change it to suite your needs. providing you have the skill and time
    No trees were harmed during the creation of this message. Its made from a blend of elephant tusk and dolphin meat.

  6. #6
    Just Joined!
    Join Date
    Jan 2004
    Posts
    4
    Thanks so much, you stopped me from having to search all over for a solution. I will try and get the budget given to me for cisco switches but until then, keeping them from using the internet should make them want to get the computer fixed faster so they can use the internet (which is all that the students want to do). I figured what I wanted to do was not possible but I was hoping because I wanted a remote management system. At least I can remotely knock people off the internet access portion now. Thanks again.

    Dave

  7. #7
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    I see what you mean know; I was just being stupid before. Somehow, I had gotten the idea that all clients were physically connected to the Linux box. :P

    Anyway, I believe that there actually is one thing that you could do. The dhcpd solution won't work even if you change the daemon, since the protocol simply doesn't have an operation to make a client drop its lease. However, you might be able to set up all clients to have a PPPoE connection to the Linux box. That way, the client networking code will send all traffic to the Linux box for further routing, and you can block those packages with iptables. I realize that it's a rather ominous task to undertake, though.

    Otherwise, if I were you, I would still do as kpzani says and remove that firewall from the network and use the Linux box instead. Linux doesn't just give you fair control over the network traffic that goes through it, it gives you more or less ultimate control. There's almost nothing that you couldn't do, even without programming.

  8. #8
    Just Joined!
    Join Date
    Jan 2004
    Posts
    4
    That is the solution I will do. Thanks for the help.

    Dave

  9. #9
    Linux User
    Join Date
    Jan 2003
    Location
    Cardiff, Wales
    Posts
    478

    bandwidth management

    Hi sdave

    while browsing the Linux doc project I find this howto on bandwidth management could be good for you.

    http://www.ibiblio.org/pub/Linux/doc...ent-HOWTO.html

    have fun
    No trees were harmed during the creation of this message. Its made from a blend of elephant tusk and dolphin meat.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •