Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: Michael K on August 25, 2001, 08:57:27 PM

Title: Controll access at IP level...
Post by: Michael K on August 25, 2001, 08:57:27 PM

Hi,

I have an e-smith 4.1.1 server currently giving good service. We have a particular requirment though. We must bind clients machines to an IP address, because we account for traffic on a per IP basis.

There is still a facility I would like to implement:

I have dhcp set to hand out IP's to those that I want to give them too.. I get their MAC addr and add an entry to the Hosts list in the e-smith manager, assigning them an IP. This results in a list of hosts in dhcpd.conf, and their required MAC addr's
It works, if the clients set their machines to use dhcp to get their IP addr, and they use the same NIC everytime they use the network. If a host appears on the network, and the MAC addrs is not known in dhcpd.conf, it won't hand one out, which is good, but then an "alien" on the network can just choose an IP in the correct subnet, and they have full access to everything, and they are not having their traffic accounted correctly.

What I  want to do is use the list of valid IP's in dhcpd.conf to restrict *everything*. That is if the IP does not appear in dhcpd.conf hosts, then don't allow anying. No routing, no forwarding, nothing!!!

Just a quick hint as to where I should add the rules is all I'll need. I have had a look at hosts.allow, and it just doesn't quite make sense to me, as I am unfamiliar with the format used. I am able to whipp up a script to extract what I need from dhcpd.conf.  

Cheers,

Michael

Title: Re: Controll access at IP level...
Post by: Ed on August 25, 2001, 10:08:29 PM

Not sure if this is the best way but,
If I was to impliment this, I might add some ipchains rules to block all
unassigned ip from passing through the firewall.  This will not stop
access to local hosts.

hosts.allow/deny is generally used by the inetd to allow or deny access
to the services (i.e. ftpd, smtpd) running on the local machine (e-smith server)

Edward

Title: Re: Controll access at IP level...
Post by: toad on August 25, 2001, 10:09:54 PM

Your are going to need to mess with the ipchains rules.  Check out the /usr/share/doc/ipchains-1.3.9 dir on your e-smith for HOWTOs.