IP access
Bob Chiodini
chiodr at kscems.ksc.nasa.gov
Thu Jan 29 16:36:06 UTC 2004
On Thu, 2004-01-29 at 10:27, Szemerédy Gábor wrote:
> Hello list members!
> We have a server with its public IP address and there is also a subnet
> with
> local addresses (192.168.0.x) on it.
> We would like to limit the access from certain IP address so that it
> can
>
> be
> established only if the request comes from the same workstation.
> Something like capturing the workstations MAC address to its IP
> address
> ,
> so that the user can browse the internet only if the MAC address of
> the
> workstation and the IP address are equal to the predefined values.
> We do traffic accounting by IP address and would like to prevent using
> the account of an other workstation by changing the IP address.
> (In current situation one can browse the internet with certain IP
> address and then
> change the IP address and use the account of an other person).
> Is there any solution?
You might be able to combine the source IP address and mac matching
rules using iptables something like:
iptables -A FORWARD -s 10.0.0.5 -m mac --mac-source 00:AA:BB:CC:DD:EE -j
ACCEPT
(not tested)
It would mean a separate rule for each host on the local side of the
firewall, that would need editing each time the NIC or client computer
is changed.
Proxy ARP and/or bridging may also provide a solution (try
http://lartc.org/howto/lartc.bridging.proxy-arp.html).
Alternatively, use DHCP and eliminate root/administrator access by the
users (per Alexander).
Bob...
More information about the fedora-list
mailing list