only DHCP clients can use Internet

Hi,

I go a job to add restriction to my company's network infra. Those
clients that manually setup their IP address should not be able to
access the internet. Only those that have an entry in the DHCP server
can access.

We use FC4 and iptables/squild/dhcpd.

Thanks for your help,
Jyo

On 2006-02-01, (E-Mail Removed) <(E-Mail Removed)> wrote:
> I go a job to add restriction to my company's network infra. Those
> clients that manually setup their IP address should not be able to
> access the internet. Only those that have an entry in the DHCP server
> can access.

Block port 80 outbound, reserve all the IPs, put the IPs handed out
by DHCP in the 'allow' of the proxy.

Davide

--
Never meddle in the affairs of NT. It is slow to boot and quick to crash.
--Stephen Harris on alt.sysadmin.recovery

(E-Mail Removed) wrote:
> Hi,
>
> I go a job to add restriction to my company's network infra. Those
> clients that manually setup their IP address should not be able to
> access the internet. Only those that have an entry in the DHCP server
> can access.

What is the exact reason for this restriction?

Paul

On Wed, 01 Feb 2006 14:18:58 +0100, Davide Bianchi wrote:

> On 2006-02-01, (E-Mail Removed) <(E-Mail Removed)> wrote:
>> I go a job to add restriction to my company's network infra. Those
>> clients that manually setup their IP address should not be able to
>> access the internet. Only those that have an entry in the DHCP server
>> can access.
>
> Block port 80 outbound, reserve all the IPs, put the IPs handed out
> by DHCP in the 'allow' of the proxy.
>
> Davide

Thats right,

You could actually just explicitly DROP all IP addresses and parse the
dhcpd.leases file once a minute and add the new leases to an IPTables
ALLOW.

What kind of switches are the clients connected to? If you use Cisco
3550's or above (may work on others) with the latest or recent IOS, there
is a feature called DHCP guard (I think, that may be for something else).
What it does is it sniffs for DHCP acks and only allows the IP's it knows
were given out by DHCP to be allowed through. Universities use this in
conjunction with NetReg to stop people from avoiding registration by
giving themselves static IP addresses. Stops them dead in their tracks.

It may not be called DHCP guard but if you use Cisco and have support ask
them about such a feature similar to what I described above. I wish I had
all the details still fresh in my head.

Hope it helps.

--
Nick DePetrillo
Network Security Engineer
OSHEAN
PGP Key: http://pgp.mit.edu:11371/pks/lookup?...rch=0x121245B5

Nicholas DePetrillo �メッセージ:

> On Wed, 01 Feb 2006 14:18:58 +0100, Davide Bianchi wrote:
>
> > On 2006-02-01, (E-Mail Removed) <(E-Mail Removed)> wrote:
> >> I go a job to add restriction to my company's network infra. Those
> >> clients that manually setup their IP address should not be able to
> >> access the internet. Only those that have an entry in the DHCP server
> >> can access.
> >
> > Block port 80 outbound, reserve all the IPs, put the IPs handed out
> > by DHCP in the 'allow' of the proxy.
> >
> > Davide
>
> Thats right,
>
> You could actually just explicitly DROP all IP addresses and parse the
> dhcpd.leases file once a minute and add the new leases to an IPTables
> ALLOW.
>
> What kind of switches are the clients connected to? If you use Cisco
> 3550's or above (may work on others) with the latest or recent IOS, there
> is a feature called DHCP guard (I think, that may be for something else).
> What it does is it sniffs for DHCP acks and only allows the IP's it knows
> were given out by DHCP to be allowed through. Universities use this in
> conjunction with NetReg to stop people from avoiding registration by
> giving themselves static IP addresses. Stops them dead in their tracks.
>
> It may not be called DHCP guard but if you use Cisco and have support ask
> them about such a feature similar to what I described above. I wish I had
> all the details still fresh in my head.
>
> Hope it helps.
>
> --
> Nick DePetrillo
> Network Security Engineer
> OSHEAN
> PGP Key: http://pgp.mit.edu:11371/pks/lookup?...rch=0x121245B5

DePetrillo and Bianchi,
Thank you so much for the advice.

What we used is just a simple Fedora Core 4 linux, not some expensive
switch or sth.

We've thought about the dhcpd.leases file, but in my test today, the
machines got the IP adresses from the server while at the same time,
nothing left in the .leases file. I'm not sure whether that's caused by
some MAC<->IP definition in the dhcpd.conf. Maybe because the dhcpd
just gave some IP address based on client's MAC, so it doesn't need to
leave anything in the .leases file.

I know it must be possible to write a shell and some cron to let the
..leases file be updated. Is there any easy way to do that for a newbie
like me?

for Bianchi,
> put the IPs handed out by DHCP in the 'allow' of the proxy.
is there any simple way to get 'IPs handed out by DHCP'?

Thanks again for you reply.
Best regards,
Jyo

Sorry for my mistake.

>> I know it must be possible to write a shell and some cron to let the
..leases file be updated.

should be

I know it must be possible to write a shell and some cron to let the
iptables be updated.

On Wed, 01 Feb 2006 08:02:28 -0800, Jyo Rakuraku wrote:
> DePetrillo and Bianchi,
> Thank you so much for the advice.
>
> What we used is just a simple Fedora Core 4 linux, not some expensive
> switch or sth.
>
> We've thought about the dhcpd.leases file, but in my test today, the
> machines got the IP adresses from the server while at the same time,
> nothing left in the .leases file. I'm not sure whether that's caused by
> some MAC<->IP definition in the dhcpd.conf. Maybe because the dhcpd
> just gave some IP address based on client's MAC, so it doesn't need to
> leave anything in the .leases file.

So when you mention the MAC <-> IP definition in the dhcpd.conf file do
you mean BOOTP? So what I gather is you have a few clients whose mac
addresses are in the dhcpd.conf file and you have a static IP that is
always given to them defined already. If you are doing it this way (BOOTP)
there will be no leases entry for those people. Since you already have
them statically set, just add those addresses to your IPTables ALLOW.

--
Nick DePetrillo
Network Security Engineer
OSHEAN
PGP Key: http://pgp.mit.edu:11371/pks/lookup?...rch=0x121245B5