Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: d_loayza on May 24, 2010, 06:40:00 PM
-
I want block an internal client via mac address. I follow de FAQ tutorial and don´t work.
mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
pico -w /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyRiffRaff
/sbin/iptables -A INPUT -m mac --mac-source XX:XX:XX:XX:XX:XX -j DROP
expand and restart
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
/etc/init.d/masq restart
Any help?
Thanks in advance.
PD: Excuse my english, is not so good.
-
hi
you should tell us what's going wrong and/or if you have any error in /var/log/message
finally, you could tell us what's the problem you are trying to solve, note the way you are using to achieve the result
-
I have this situation:
IP: 192.168.1.x
CPU --------> SME Server ---------> Internet
(LAN)
MAC 00:01:6C:D9:9C:54
I want block the CPU using the MAC ADDRESS (not IP)
I follow the instruction in the FAQ, (Firewall section) with some variations
mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
pico -w /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyRiffRaff
/sbin/iptables -A INPUT -m mac --mac-source XX:XX:XX:XX:XX:XX -j DROP
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
/etc/init.d/masq restart
I use the command iptables --list and I see my modification in the rules.
Chain INPUT (policy DROP)
target prot opt source destination
state_chk all -- anywhere anywhere
local_chk all -- anywhere anywhere
PPPconn all -- anywhere anywhere
denylog all -- BASE-ADDRESS.MCAST.NET/4 anywhere
denylog all -- anywhere BASE-ADDRESS.MCAST.NET/4
DROP all -- anywhere anywhere MAC 00:01:6C:D9:9C:54
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
InboundICMP icmp -- anywhere anywhere
denylog icmp -- anywhere anywhere
InboundTCP tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
denylog tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
InboundUDP udp -- anywhere anywhere
denylog udp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spts:bootps:bootpc
gre-in gre -- anywhere anywhere
denylog gre -- anywhere anywhere
denylog all -- anywhere anywhere
But, the CPU continue conecting to the SME Server, can see the Ibays, can navigate to Internet, etc.
What I am doing wrong?
Thank in advance
Daniel Loayza
-
d_loayza
The simplest approach would be to manually configure the CPU network settings to be on a different workgroup and point at a non existent gateway IP address, but you do not describe fully what access that host is supposed to have, so this may or may not be suitable.
Alternatively.....
...the CPU continue conecting to the SME Server, can see the Ibays, can navigate to Internet, etc.
You are talking about blocking access to local shares and blocking access to Internet, which are quite different requirements.
To block access to shares based on logged in User rather than the mac address, you create Groups and make the ibays owned by those groups. Then you add Users as members of the Groups based on which ibays they are allowed to access or not. Please read the manual and see this thread.
http://forums.contribs.org/index.php/topic,45970.msg224618.html#msg224618
Re blocking Internet access, you are trying to block access from an internal host on your LAN.
Packets from the internal host do not go via the firewall, so setting up an iptables (masq/firewall) rule will do nothing.
You can achieve this as follows.
Add the CPU hostname to the Hostnames and Addresses panel in server manager, quoting the mac address of the NIC, and the required IP. This will force DHCP to always issue the same specified IP address to that host.
Then install Dansguardian and configure it to block access to that IP (therefore mac address). See the wiki contrib article for further details.
-
What I am doing wrong?
You have your block rule after the packets have already been accepted via the "local_chk" rule.
-
mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
pico -w /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyRiffRaff
Look at what is in this directory...
/etc/e-smith/templates/etc/rc.d/init.d/masq
...that 40DenyRiffRaff template fragment fits into the above order.
I'm guessing but look at the 10xxx and the 20xxx fragments...
rename your 40DenyRiffRaff as 10DenyMAC or maybe 21DenyMAC
(then expand the template and restart masquerading)
If it does not work just delete the fragment, expand, restart.
Good luck;~)
-
d_loayza, Charlie & piran
Am I misunderstanding something here ?
It appears that d_loayza wants to block access from a LAN client to SME server shares & the Internet, not block access from the Internet to the SME server.
Firewall code will not achieve that AFAIK.
...I want block an internal client via mac address...
...I want block the CPU using the MAC ADDRESS (not IP)
...I have this situation:
IP: 192.168.1.x
CPU --------> SME Server ---------> Internet
(LAN)
MAC 00:01:6C:D9:9C:54
and after creating a firewall rule (albeit not a strictly correct rule)...
...But, the CPU continue connecting to the SME Server, can see the Ibays, can navigate to Internet, etc.
Isn't this a local access issue needing the likes of Group access control, forced DHCP IP allocation based on mac address, and Dansguardian web access control or similar eg squidguard or maybe even ACL rules ?
-
d_loayza, Charlie & piran
Am I misunderstanding something here ?
Not sure any of us clearly understand quite the OP wants or needs.
The given clues are a bit ambiguous. Hopefully the suggestions will
promote some clarity.
-
With the Google language tools will try to clarify the situation.
My problem is this, I have configured my SME Server as a gateway, with squid, dansguardian sarg and running smoothly.
In the dansguardian´s "exceptioniplist" file I have some IP's for users in the network that have free Internet access. However, I have some kids "smart" in the network and modify the properties of the NIC from the station (local client or local CPU) and set any free IP bypassing dansguardian´s restrictions.
My intention is to punish and scare these kids, completely block access to the server through your mac address.
As I can do this?
Thanks in advance.
Daniel Loayza
-
d_loayza
Yes you can achieve blocking of Internet access based on mac address.
You have to configure your system appropriately.
Please reread my previous answer which, slightly rewritten, says:
Add the workstation hostname (eg station15) to the Hostnames and Addresses panel in server manager, quoting the mac address of the workstation NIC, and the required IP eg 192.168.1.15.
This will force the SME servers DHCP server to always issue the same specified IP address to that workstation (that has that unchangeable mac address, assuming the NIC is not physically changed).
You should apply this to all workstations on your network.
Then, for any workstations that are allowed to have any access to the Internet, add these "auto allocated fixed" workstation IPs to the exceptioniplist file.
Normal Dansguardian filtering rules will still apply even to allowed IP's. You could make these DG rules more strict ie decrease the naughtyness score and add more restricted site lists, block many file types etc etc. Have a good read of the wiki article again and review all the configuration files as there are useful tips in the start of each file. You could even setup Filter Groups so you can be more strict with some users and less strict with other users basedf on logge din user name.
You need to take the approach in Dansguardian to "block everything", and only allow specific workstation IP's to have access.
Even if clever users can still change the workstation IP, this should prevent them gaining access as any "free" IP they use are not allowed access.
Furthermore, you should also ideally enable Group Policies using gpedit.msc (when logged in as Administrator on the workstation), or by using centrally administered security policies (poledit etc), and restrict the workstations users ability to make these fundamental changes to workstation network settings etc.
-
It appears that d_loayza wants to block access from a LAN client to SME server shares & the Internet, not block access from the Internet to the SME server.
Firewall code will not achieve that AFAIK.
iptables firewall rules can achieve that. The correct rules need to be formulated, and put into the correct place.
-
My intention is to punish and scare these kids, completely block access to the server through your mac address.
If the kiddies are clever enough, and have admin access to the workstation, they can change the MAC address.
-
join the interested pc to SME's domain: every user will be a simple user (not administrator) and won't be able to change anything
-
CharlieBrady said:
iptables firewall rules can achieve that. The correct rules need to be formulated, and put into the correct place.
I could help with this?
If the kiddies are clever enough, and have admin access to the workstation, they can change the MAC address.
You're right but it's a little harder and some BIOS do not support.
Stefano said:
join the interested pc to SME's domain: every user will be a simple user (not administrator) and won't be able to change anything
You're right, but if it comes as a local administrator and not as a domain administrator can then continue to modify the values of the NIC.
What happens is that I did not administer the network, other one does, I was hired to set up a firewall to monitor Internet use in the company. Since this function some cheap routers have it, not able to configure with my amazing Linux firewall shames me. :-)
If you help me solve this, I would be very grateful
Daniel Loayza
PD: Mary I have not tried your solution, I hope to do tomorrow.
-
If you help me solve this, I would be very grateful
I've already told you what you are doing wrong.
-
d_loayza
I think Charlie means that the template fragment needs to be inserted earlier eg make it 20RiffRaff or 10RiffRaff depending on the order location it needs to be in.
I have not checked/looked, so you need to work out where.
-
Extremely grateful to all.
I used the solution proposed by Charlie. Changing the name of the file to 20DenyRiffRaff and worked perfectly.
Best regards
Daniel Loayza