Prihlásiť sa Odoslať Novinky :: FAQ :: Rozšírené vyhľadávanie :: Napísali o nás :: Ankety
Main Menu
· Home
· 
· FAQ
· 
· Diskusia
· 











Main Menu
· Domov

Moduly
· AvantGo
· Downloads
· FAQ
· News
· Recommend Us
· Reviews
· Search
· Sections
· Stats
· Topics
· Top List
· Web Links
· Forum

Jazyk
Výber jazykovej mutácie:



The time now is 28.03.2024 - 18:02


IP vs MAC filtering

Post new topic Reply to topic
View previous topic Printable version Log in to check your private messages View next topic
Page 1 of 2 12 >
Author Message
kiwi
Post subject: IP vs MAC filtering  PostPosted: 20.06.2004 - 21:51 #9760
Guru


Joined: Jan 30, 2003
Posts: 1572

Chcem sa opytat, ci niekto z vas nepouziva, teda ci nemoze zverejnit nejaky script, v ktorom by sa porovnala IP s MAC adresou sietovej karty, a v pripade, ze MAC adresa nesedi s IP, boli by tieto packety zahodene.

Inymi slovami, aby ked si user s IP x.x.x.x a MAC x-x-x-x-x-x navoli susedovu IP x.x.x.y, aby packety z IP x.x.x.y masina zahodila, pretoze x.x.x.y nepasuje s MAC x.x.x.x.x.x
 
 View user's profile Send private message Send e-mail Visit poster's website ICQ Number 
Reply with quote Back to top
gyro
Post subject: RE: IP vs MAC filtering  PostPosted: 20.06.2004 - 22:29 #9761
Majster


Joined: Okt 22, 2003
Posts: 3321
Location: Banská Bystrica - Rudlová
Ked pracujes s IP tables sprav pravidlo na IP a zaroven aj na MAC.
 
 View user's profile Send private message Send e-mail Visit poster's website ICQ Number 
Reply with quote Back to top
kiwi
Post subject: RE: IP vs MAC filtering  PostPosted: 20.06.2004 - 22:54 #9763
Guru


Joined: Jan 30, 2003
Posts: 1572

mozes prosim zverejnit nejaky ukazkovy script? aj s nejakym popisom? dik
 
 View user's profile Send private message Send e-mail Visit poster's website ICQ Number 
Reply with quote Back to top
gyro
Post subject: RE: IP vs MAC filtering  PostPosted: 21.06.2004 - 00:21 #9764
Majster


Joined: Okt 22, 2003
Posts: 3321
Location: Banská Bystrica - Rudlová
iptables -A INPUT -i eth1 -s 192.168.100.100 -m mac --mac-source 00-00-00-00-00-00 -p tcp --dport 135:139 -j DROP

Vo Vetve Input je zakazane pouzivanie komunikacie cez porty 135 az 139, pre ip-adresu 192.168.100.100 a zaroven MAC adresu 00-00-00-00-00-00. respektive to sprav tak ze setko zakazes a povolis konkretne na to co chces.
 
 View user's profile Send private message Send e-mail Visit poster's website ICQ Number 
Reply with quote Back to top
si
Post subject: RE: IP vs MAC filtering  PostPosted: 21.06.2004 - 08:58 #9766
Majster


Joined: Jan 12, 2003
Posts: 4250
Location: /dev/null
1. defaultny ACCEPT, potrebujem ale osetrit aby si ludia len tak nemenili IP:
/usr/sbin/iptables -A FORWARD -s 1.2.3.4 -m mac --mac-source ! 01:23:45:67:89:AB -j DROP
(INPUT ma netrapi, pingat stroj a ine voloviny skusat mozu (pokial nie su inac osetrene), ale ich packety nebudu poslane dalej...)
toto je u mna standardne pravidlo na vnutornych routroch siete

2. defaultny DROP:
/usr/sbin/iptables -A FORWARD -s 1.2.3.4 -m mac --mac-source 01:23:45:67:89:AB -j ACCEPT
/usr/sbin/iptables -A FORWARD -d 1.2.3.4 -j ACCEPT
(INPUT ma opat netrapi z dovodov uvedenych vyssie, nezabudni ze musis mat nastavene /usr/sbin/iptables -P FORWARD DROP)
toto je pravidlo pouzivane na vystupnom routri zo siete pre IP ktore su priamo na segmentoch incidujucich s routrom.
(pre vsetky ostatne adresy su pravidla o nieco kratsie:
/usr/sbin/iptables -A FORWARD -s 1.2.3.4 -j ACCEPT
/usr/sbin/iptables -A FORWARD -d 1.2.3.4 -j ACCEPT )
Nezabudni, ze MAC musis kontrolovat _vzdy_ na najblizsom nadradenom routri k zakaznikovi !!!
 
 View user's profile Send private message Send e-mail Visit poster's website  
Reply with quote Back to top
goose
Post subject: RE: IP vs MAC filtering  PostPosted: 21.06.2004 - 09:58 #9767
Ucen


Joined: Nov 04, 2003
Posts: 544

to kockac: nemohol by si nieco podobne napisat ako sa to robi pod FreeBSD ? .. ipf ani ipfw nevie robit s mac adresami... ide to iba s arp zaznamami,,ale nechapem zapisu do arp... hlavne ked mam DHCP ,ktore arp tabulky prepisuje..
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
kockac
Post subject: RE: IP vs MAC filtering  PostPosted: 21.06.2004 - 11:52 #9770
Basic


Joined: Feb 23, 2003
Posts: 423
Location: Bratislava, Dubravka
goose: ipfw to zvlada, len musis dat navyse "options IPFW2" do konfiguraku jadra a "IPFW2=TRUE" do /etc/make.conf a prekopat jadro, ipfw a (tusim) libalias... ak chces mat istotu, tak world.
Pravidla sa potom zapisuju ako napr.
allow ip from zdrojva_ip to cielova_ip mac cielova_mac zdrojova_mac
(MAC je budto any alebo v klasickom formate 01:23:45:67:89:ab)

Nie som si ale isty, ci to naozaj funguje, pretoze to nepouzivam. Bohuzial ipf ani pf (vo FreeBSD 5) filtrovanie podla MAC nepodporuju. Co sa tyka arpu, syntax je "arp -S IP MAC", co Ti natvrdo zanesie do ARP tabulky zaznam pre danu IP, potom stroje s rovnakou IP a inou MAC nebudu moct prijimat pakety zvonka. S DHCP som to neskusal.

Detaily v ipfw(8), resp. arp(8).
 
 View user's profile Send private message Visit poster's website ICQ Number 
Reply with quote Back to top
face
Post subject: RE: IP vs MAC filtering  PostPosted: 23.06.2004 - 14:02 #9818
Basic


Joined: Feb 18, 2003
Posts: 252
Location: Zvolen
a zase...

no ja som mal doteraz taky dojem, ze v "cistom" iptables sa nieco take ako kontrola IP a MAC v jednom riadku neda urobit a ze je potrebne pouzit nieco z patch-o-matic modulov...

v ziadnom how-to, tutorials alebo v man strankach som totizto taku syntax (teda moznost takehoto zapisu, ako uviedol 'si') nevidel...
 
 View user's profile Send private message Visit poster's website ICQ Number 
Reply with quote Back to top
si
Post subject: RE: IP vs MAC filtering  PostPosted: 23.06.2004 - 15:37 #9821
Majster


Joined: Jan 12, 2003
Posts: 4250
Location: /dev/null
face: no neviem, ale som teraz este preistotu pozrel, je o tom zmienka aj v "man iptables"
[MATCH EXTENSIONS ... ( -m)
...
mac
--mac-source [!] address
Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. Note that this only makes sense
for packets coming from an Ethernet device and entering the PREROUTING, FORWARD or INPUT chains.]
co viac mozes chciet ? (a nie je to zalezitosotou novych iptables, pouzivam to uz hoooodne dlho Very Happy )
 
 View user's profile Send private message Send e-mail Visit poster's website  
Reply with quote Back to top
face
Post subject: RE: IP vs MAC filtering  PostPosted: 23.06.2004 - 17:06 #9825
Basic


Joined: Feb 18, 2003
Posts: 252
Location: Zvolen
2si: teraz mi je to uz jaszne...
len som si to vysvetloval tak, ze v jednom riadku moze byt iba jeden match [-s IP| -d IP | -m MAC]...
 
 View user's profile Send private message Visit poster's website ICQ Number 
Reply with quote Back to top
si
Post subject: RE: IP vs MAC filtering  PostPosted: 23.06.2004 - 17:22 #9826
Majster


Joined: Jan 12, 2003
Posts: 4250
Location: /dev/null
face: Very Happy sak to mas vzdy viacero, akurat ze ked nezadas -s alebo -d tak sa ti tam doplni 0/0 (teda any)
a obdobne to mas ked specifikujes neaky port a tam mas tiez hned 2 veci - musis specifikovat protokol (tcp, udp) a cislo portu
 
 View user's profile Send private message Send e-mail Visit poster's website  
Reply with quote Back to top
face
Post subject: RE: IP vs MAC filtering  PostPosted: 23.06.2004 - 17:39 #9830
Basic


Joined: Feb 18, 2003
Posts: 252
Location: Zvolen
sak wet, o5 zomriem mudrejsi...
 
 View user's profile Send private message Visit poster's website ICQ Number 
Reply with quote Back to top
kiwi
Post subject: RE: IP vs MAC filtering  PostPosted: 28.09.2004 - 01:28 #11992
Guru


Joined: Jan 30, 2003
Posts: 1572

takze zase som raz mal trosku casu, tak som sa pustil s pouzitim informacii ktore som tu dostal, do vyrabania nejakeho automatickeho skriptu a tu je vysledok

tento skriptik nacitava hodnoty z /etc/dhcpd.conf

kde su v tomto formate

host janko { hardware ethernet 00:06:4f:05:68:3d; fixed-address 10.203.6.42; }

a nasledne vytvori 3 horespominane pravidla pre kazdeho usera

#!/bin/bash
# IP vs MAC filter
# v. 1.0 kiwi

DHCPLIST="`grep fixed-address /etc/dhcpd.conf|awk -F\ '{print $6 $8}'`";

for ONEROW in $DHCPLIST; do
MAC="`echo $ONEROW | cut -f1 -d\;`";
IP="`echo $ONEROW | cut -f2 -d\;`";

/sbin/iptables -A FORWARD -s $IP -m mac --mac-source ! $MAC -j DROP
/sbin/iptables -A FORWARD -s $IP -m mac --mac-source $MAC -j ACCEPT
/sbin/iptables -A FORWARD -d $IP -j ACCEPT

done


mam ale problem, ze ked na je viacero MAC pridelena jedna IP (chlapik ma aj PC aj notebook, a chce aby mu isiel raz jeden raz druhy po zapojeni) tak nefunguje ani jedna, pretoze prienik podmienok je nulovy, ako by ste to riesili?

dalsia vec je, ze toto funguje ak je router koncovy, tzn. ma iba dva iface, jeden uplink a jeden do panelaku

ale v pripade ze by tam bola este jedna karta, na ktorej by bolo AP, tak vsetci za tymto AP by boli pochopitelne blokovani, nejako sa mi mari, ze by som musel ich IPs povolit v suvislosti s MAC adresou routra, pod ktorym su, alebo sa mylim?
 
 View user's profile Send private message Send e-mail Visit poster's website ICQ Number 
Reply with quote Back to top
face
Post subject: RE: IP vs MAC filtering  PostPosted: 28.09.2004 - 08:01 #11994
Basic


Joined: Feb 18, 2003
Posts: 252
Location: Zvolen
kiwi: 'si' pisal v prispevku z 12.1.2003, ze citujem: ' Nezabudni, ze MAC musis kontrolovat _vzdy_ na najblizsom nadradenom routri k zakaznikovi !!! '

na 'vyssom' routri samozrejme bude v paketoch MAC toho routra, ktory ma pod sebou klientov... aspon tak som to zaznamenal v iptraf-e...
 
 View user's profile Send private message Visit poster's website ICQ Number 
Reply with quote Back to top
kiwi
Post subject: RE: IP vs MAC filtering  PostPosted: 28.09.2004 - 09:08 #11995
Guru


Joined: Jan 30, 2003
Posts: 1572

hej, aj ja som si to vsimol, ale chcel som sa uistit

teraz by ma zaujimalo prakticke riesenie Smile ako to urobit aby tie packety neboli dropovane
 
 View user's profile Send private message Send e-mail Visit poster's website ICQ Number 
Reply with quote Back to top
Display posts from previous:     
All times are GMT
Post new topic Reply to topic
View previous topic Printable version Log in to check your private messages View next topic
Page 1 of 2 12 >
Jump to:  

Powered by PNphpBB2 © 2003-2005 The PNphpBB Group
Credits

(C) SKFree 2002-2010: Powered by POSTNUKE. Môžete prebera? naše správy vo formáte XML(RSS)