Simple problem but with a twist. I know that normally I can simply filter out machines that I do not want to have access to the Internet in any way, shape or form. At the moment, I use DHCP to configure the network with a Linux box acting as a router, gateway and bridge across two ethernet segments. This is all working fine. I use IPChains as a Firewall. Now, if I REALLY don't want someone to access the Internet, I could just reconfigure the Firewall, but that will only allow me to filter by IP address. If they manually change their IP address to one that IS allowed Internet access, the Firewall wouldn't know the difference and they would be allowed through.

Since the "other persons" own the machines that they are using, I cannot have administration authority over them, only my own machines and the Server.

What I really need to find is a way of authenticating an IP address with their Ethernet address (the only thing that's fixed) to make sure that they don't take the IP address of a machine that has legitimate access.

Alternatively, I could set up a domain restriction policy on their account (Samba is running as a PDC) but the information on how to do this is scant.

Does anyone have any ideas?

James

----quote---
What I really need to find is a way of authenticating an IP address with their Ethernet address (the only thing that's fixed) to make sure that they don't take the IP address of a machine that has legitimate access.
------------

iptables does that....

----quote----
I use DHCP to configure the network
---------------

You could use the macaddr variable to 'fix' the ip to a known mac address. Then write the rules for those known ip's, and blocking the rest.

---quote----
If they manually change their IP address to one that IS allowed Internet access, the Firewall wouldn't know the difference and they would be allowed through.
--------------

That will only work if the allowed ip is not active on the network, or all sorts of weird will start to happen..

Is that likely to happen?? Is someone going to chance disabling one of the bigwig's laptops that has an allowed ip?? Set a policy down that requires the use of dhcp. Those who try to take over an ip risk disrupting the network, which is a crime.. Grounds for dismissal... Or better yet call it "cyber-terrorism", and call the FEDS.. I'd start to look at iptables if you down't want to make waves....

Hi, I have been trying to do what you have done, the whole router, samba PDC and all of that. I was just wondering what distro you were running. Im running RedHat 7.2 and have been ripping my hair out over a lot of stuff :s. Anyways, thanks a lot in advance for any help:)

Kd7

OK, I should probably be a little clearer. Essentially what I'm setting up is a small home network for some people in a shared flat here in Scotland. They want to install a network into the house and connect to broadband internet.

The main problem is that there will be one connection for the internet so at least four connections will have to be masqueraded through the server (RedHat 7.1 at the moment). Not a problem. This machine will offer Firewall (IPChains), E-mail, DNS, DHCP and Samba.

Now, if they want to connect to the broadband connection, they will have to pay for it and the total cost will be split between the number of people connecting. If someone doesn't want to pay but still wants to connect to the network (for file sharing and games internally) then that's fine, but what I don't want them to be able to do is get access to the internet. Since it is their machine, I cannot administer and restrict access to it. After all, if they screw it, it's not my problem.

However, the most obvious backdoor is to change their IP address so that it's the same as someone who DOES connect to the Internet whilst their machine is off - essentially bypass the DNS. Free (albeit inconvenient) high-speed Internet access at the expense of other people.

The most obvious alleys for filtering them outside of their IP address is the MAC address or their logon (provided they can't add accounts to the domain server).

I've got some very complete and well-written documentation on IPChains, but not IPTables, so I'll stick with chains for now. If anyone has successfully managed this, or has any ideas (I'll look into binding the MACADDR to an IP for authentication) I'd really appreciate it.

Oh, and if Kd7Kab can get me his e-mail address (or AN e-mail address) then I can send over my configuration files to help set up the PDC and router stuff.

Many Thanks,

James

OK I get the picture....

---quote----
or their logon
-------------

Well you could have the dhcp server NOT hand out the gateway, while using a VPN server to grant access to the internet.

poptop ( http://www.poptop.org/ ) uses windows free built-in vpn client. Yes, there is a linux client ( http://pptpclient.sourceforge.net ) set the firewall to deny all traffic coming from the LAN except for the vpn traffic. Set up the user/pw combos (there is a patch to use smb auth), write rules that allow traffic from the vpn's ppp interfaces only to reach the internet. Make sure that the clients tick the "use gateway on remote" in the advanced setup.

pppoe works in more or less the same fashion.

You could try a pppoe sever, but your on your own there....


OR

move to iptables....

Thanks a lot, Satanic Atheist, my email address is kd7kab@hotmail.com. Thanks again for your help!

kd7

OK, I think it's possible to do it easier than using IPTables. Since the documentation I have on IPChains is so complete I'd like to stick with it for now.

The best (and easiest, although expensive) solution would be to use both Subnets on the server (with the third network card as a connection to the Internet) and firewall one of the subnets to not forward anything onto the internet.

If the situation changes and someone wants access who previously didn't, it's a simple case of changing their connection from the hub/switch on one of the subnets to the other and their packets will be forwarded over the subnet that does allow internet access. How's that for a solution?

The only problem I can think of is the DHCP code - their IP address will still be registered to the original subnet and the whole thing gets very messy very quickly. Is it just a simple case of setting a low TTL for the lease? Say an hour? That way every hour the DHCP connection is refreshed and the above solution would work. However, wouldn't this create enormous overhead for the network? I know that UDP DHCP packets are small, but generating them every hour may cause havoc! Any thoughts?

James

2 different subnets might cause you grief with LAN gaming between them.....
You'll need to have 2 hubs.. How secure is the switch/hub location?

Not that secure, but I think it could be made to be secure by simply adding a lock to the server room :-)

Gaming is not a problem since the server is currently forwarding data appropriately and quickly simply by adding a "route" command into the routing database. Although Windows 98 does not support persistant routing, adding a simple batch file to the Startup folder allows me to automatically add the correct routing to the machine.

Currently I am undergoing trials on the the accuracy of the routing code and I am quite happy that the machines can talk over the network (this is BNC without a hub) using the server as a router/bridge.

I am capable of running all applications (remote admin, DNS, ping, file transfers (SMB/CIFS) and games) across this link without any interference. In all, it is a great success.

Yes, there are inherent problems with the system of using two ethernet segments and routing between the two, but I hope I can get over them.

Many thanks to all that have helped me with this project, if anyone would like information regarding this setup or a copy of my configuration files (stripped down to the minimum), please send an e-mail the the following e-mail address (replacing 'at' with @ for bot security) and I'll be happy to help.

rjahowells'at'hotmail.com

Again, many thanks,

James

I find so many people have the same goals as I, and it is very gratifying to visit the forum and find my question already answered.

Good question; helpful answers.

Thanks, all!!

Chuck Moore
CNMoore@Knology.net