Koozali.org: home of the SME Server

Block internal mac address to my server

Offline d_loayza

  • *
  • 37
  • +0/-0
Block internal mac address to my server
« on: May 24, 2010, 06:40:00 PM »
I want block an internal client via mac address. I follow de FAQ tutorial and don´t work.

mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
pico -w /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyRiffRaff
/sbin/iptables -A INPUT -m mac --mac-source XX:XX:XX:XX:XX:XX -j DROP

expand and restart

/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
/etc/init.d/masq restart

Any help?

Thanks in advance.

PD: Excuse my english, is not so good.

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Block internal mac address to my server
« Reply #1 on: May 24, 2010, 10:32:49 PM »
hi

you should tell us what's going wrong and/or if you have any error in /var/log/message

finally, you could tell us what's the problem you are trying to solve, note the way you are using to achieve the result

Offline d_loayza

  • *
  • 37
  • +0/-0
Re: Block internal mac address to my server
« Reply #2 on: May 25, 2010, 03:41:27 AM »
I have this situation:
          IP: 192.168.1.x
                 CPU --------> SME Server ---------> Internet
                (LAN)
  MAC 00:01:6C:D9:9C:54
 
I want block the CPU  using the MAC ADDRESS (not IP)
I follow the instruction in the FAQ, (Firewall section) with some variations

mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/

pico -w /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyRiffRaff
/sbin/iptables -A INPUT -m mac --mac-source XX:XX:XX:XX:XX:XX -j DROP

/sbin/e-smith/expand-template /etc/rc.d/init.d/masq

/etc/init.d/masq restart

I use the command iptables --list and I see my modification in the rules.

Chain INPUT (policy DROP)
target     prot opt source               destination         
state_chk  all  --  anywhere             anywhere           
local_chk  all  --  anywhere             anywhere           
PPPconn    all  --  anywhere             anywhere           
denylog    all  --  BASE-ADDRESS.MCAST.NET/4  anywhere           
denylog    all  --  anywhere             BASE-ADDRESS.MCAST.NET/4
DROP       all  --  anywhere             anywhere            MAC 00:01:6C:D9:9C:54
ACCEPT     udp  --  anywhere             anywhere            udp dpts:bootps:bootpc
InboundICMP  icmp --  anywhere             anywhere           
denylog    icmp --  anywhere             anywhere           
InboundTCP  tcp  --  anywhere             anywhere            tcp flags:SYN,RST,ACK/SYN
denylog    tcp  --  anywhere             anywhere            tcp flags:SYN,RST,ACK/SYN
InboundUDP  udp  --  anywhere             anywhere           
denylog    udp  --  anywhere             anywhere           
ACCEPT     udp  --  anywhere             anywhere            udp spts:bootps:bootpc
gre-in     gre  --  anywhere             anywhere           
denylog    gre  --  anywhere             anywhere           
denylog    all  --  anywhere             anywhere

But, the CPU continue conecting to the SME Server, can see the Ibays, can navigate to Internet, etc.

What I am doing wrong?

Thank in advance

Daniel Loayza


     

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Block internal mac address to my server
« Reply #3 on: May 25, 2010, 04:12:24 AM »
d_loayza

The simplest approach would be to manually configure the CPU network settings to be on a different workgroup and point at a non existent gateway IP address, but you do not describe fully what access that host is supposed to have, so this may or may not be suitable.

Alternatively.....

Quote
...the CPU continue conecting to the SME Server, can see the Ibays, can navigate to Internet, etc.

You are talking about blocking access to local shares and blocking access to Internet, which are quite different requirements.

To block access to shares based on logged in User rather than the mac address, you create Groups and make the ibays owned by those groups. Then you add Users as members of the Groups based on which ibays they are allowed to access or not. Please read the manual and see this thread.
http://forums.contribs.org/index.php/topic,45970.msg224618.html#msg224618

Re blocking Internet access, you are trying to block access from an internal host on your LAN.
Packets from the internal host do not go via the firewall, so setting up an iptables (masq/firewall) rule will do nothing.

You can achieve this as follows.
Add the CPU hostname to the Hostnames and Addresses panel in server manager, quoting the mac address of the NIC, and the required IP. This will force DHCP to always issue the same specified IP address to that host.
Then install Dansguardian and configure it to block access to that IP (therefore mac address). See the wiki contrib article for further details.
 
« Last Edit: May 25, 2010, 04:37:13 AM by mary »
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Block internal mac address to my server
« Reply #4 on: May 25, 2010, 02:27:35 PM »
What I am doing wrong?

You have your block rule after the packets have already been accepted via the "local_chk" rule.

Offline piran

  • ****
  • 502
  • +0/-0
Re: Block internal mac address to my server
« Reply #5 on: May 25, 2010, 11:19:42 PM »
mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
pico -w /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyRiffRaff

Look at what is in this directory...
/etc/e-smith/templates/etc/rc.d/init.d/masq
...that 40DenyRiffRaff template fragment fits into the above order.
I'm guessing but look at the 10xxx and the 20xxx fragments...
rename your 40DenyRiffRaff as 10DenyMAC or maybe 21DenyMAC
(then expand the template and restart masquerading)
If it does not work just delete the fragment, expand, restart.
Good luck;~)

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Block internal mac address to my server
« Reply #6 on: May 26, 2010, 12:50:44 AM »
d_loayza, Charlie & piran

Am I misunderstanding something here ?
It appears that d_loayza wants to block access from a LAN client to SME server shares & the Internet, not block access from the Internet to the SME server.
Firewall code will not achieve that AFAIK.

Quote
...I want block an internal client via mac address...
Quote
...I want block the CPU  using the MAC ADDRESS (not IP)
Quote
...I have this situation:
          IP: 192.168.1.x
                 CPU --------> SME Server ---------> Internet
                (LAN)
  MAC 00:01:6C:D9:9C:54

and after creating a firewall rule (albeit not a strictly correct rule)...
Quote
...But, the CPU continue connecting to the SME Server, can see the Ibays, can navigate to Internet, etc.

Isn't this a local access issue needing the likes of Group access control, forced DHCP IP allocation based on mac address, and Dansguardian web access control or similar eg squidguard or maybe even ACL rules ?
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline piran

  • ****
  • 502
  • +0/-0
Re: Block internal mac address to my server
« Reply #7 on: May 26, 2010, 02:03:41 AM »
d_loayza, Charlie & piran
Am I misunderstanding something here ?
Not sure any of us clearly understand quite the OP wants or needs.
The given clues are a bit ambiguous. Hopefully the suggestions will
promote some clarity.

Offline d_loayza

  • *
  • 37
  • +0/-0
Re: Block internal mac address to my server
« Reply #8 on: May 26, 2010, 02:52:34 AM »
With the Google language tools will try to clarify the situation.

My problem is this, I have configured my SME Server as a gateway, with squid, dansguardian sarg and running smoothly.

In the dansguardian´s "exceptioniplist" file I have some IP's for users in the network that have free Internet access. However, I have some kids "smart" in the network and modify the properties of the NIC from the station (local client or local CPU) and set any free IP bypassing dansguardian´s restrictions.

My intention is to punish and scare these kids, completely block access to the server through your mac address.

As I can do this?

Thanks in advance.

Daniel Loayza

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Block internal mac address to my server
« Reply #9 on: May 26, 2010, 03:20:52 AM »
d_loayza

Yes you can achieve blocking of Internet access based on mac address.
You have to configure your system appropriately.
Please reread my previous answer which, slightly rewritten, says:

Add the workstation hostname (eg station15) to the Hostnames and Addresses panel in server manager, quoting the mac address of the workstation NIC, and the required IP eg 192.168.1.15.
This will force the SME servers DHCP server to always issue the same specified IP address to that workstation (that has that unchangeable mac address, assuming the NIC is not physically changed).

You should apply this to all workstations on your network.
Then, for any workstations that are allowed to have any access to the Internet, add these "auto allocated fixed" workstation IPs to the exceptioniplist file.
Normal Dansguardian filtering rules will still apply even to allowed IP's. You could make these DG rules more strict ie decrease the naughtyness score and add more restricted site lists, block many file types etc etc. Have a good read of the wiki article again and review all the configuration files as there are useful tips in the start of each file. You could even setup Filter Groups so you can be more strict with some users and less strict with other users basedf on logge din user name.

You need to take the approach in Dansguardian to "block everything", and only allow specific workstation IP's to have access.
Even if clever users can still change the workstation IP, this should prevent them gaining access as any "free" IP they use are not allowed access.

Furthermore, you should also ideally enable Group Policies using gpedit.msc (when logged in as Administrator on the workstation), or by using centrally administered security policies (poledit etc), and restrict the workstations users ability to make these fundamental changes to workstation network settings etc.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Block internal mac address to my server
« Reply #10 on: May 26, 2010, 04:34:16 AM »
It appears that d_loayza wants to block access from a LAN client to SME server shares & the Internet, not block access from the Internet to the SME server.
Firewall code will not achieve that AFAIK.

iptables firewall rules can achieve that. The correct rules need to be formulated, and put into the correct place.

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Block internal mac address to my server
« Reply #11 on: May 26, 2010, 04:37:47 AM »
My intention is to punish and scare these kids, completely block access to the server through your mac address.

If the kiddies are clever enough, and have admin access to the workstation, they can change the MAC address.

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Block internal mac address to my server
« Reply #12 on: May 26, 2010, 07:19:03 AM »
join the interested pc to SME's domain: every user will be a simple user (not administrator) and won't be able to change anything

Offline d_loayza

  • *
  • 37
  • +0/-0
Re: Block internal mac address to my server
« Reply #13 on: May 27, 2010, 03:14:08 AM »
CharlieBrady said:
Quote
iptables firewall rules can achieve that. The correct rules need to be formulated, and put into the correct place.
I could help with this?

Quote
If the kiddies are clever enough, and have admin access to the workstation, they can change the MAC address.
You're right but it's a little harder and some BIOS do not support.

Stefano said:
Quote
join the interested pc to SME's domain: every user will be a simple user (not administrator) and won't be able to change anything
You're right, but if it comes as a local administrator and not as a domain administrator can then continue to modify the values of the NIC.

What happens is that I did not administer the network, other one does, I was hired to set up a firewall to monitor Internet use in the company. Since this function some cheap routers have it, not able to configure with my amazing Linux firewall shames me. :-)

If you help me solve this, I would be very grateful

Daniel Loayza

PD: Mary I have not tried your solution, I hope to do tomorrow.

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Block internal mac address to my server
« Reply #14 on: May 27, 2010, 03:42:27 AM »
If you help me solve this, I would be very grateful

I've already told you what you are doing wrong.