Re: help on masquerading

To: debian-user@lists.debian.org
Cc: Debian User List <debian-user@lists.debian.org>
Subject: Re: help on masquerading
From: John Summerfield <debian@ComputerDatasafe.com.au>
Date: Tue, 29 Jun 2004 16:47:53 +0800
Message-id: <[🔎] 40E12CB9.1040602@ComputerDatasafe.com.au>
In-reply-to: <[🔎] Pine.LNX.4.44L0.0406291355230.27508-100000@narayani.atcnet.com.np>
References: <[🔎] Pine.LNX.4.44L0.0406291355230.27508-100000@narayani.atcnet.com.np>

Ritesh Raj Sarraf wrote:

On Tue, 29 Jun 2004, John Summerfield wrote:
You didn't say whose machines they are nor what OS they're running. Ifthey're yours you can lock them down so the users can't do those things.
I think, here the issue isn't what OS they'll be running. It's okay if they run TCP.

If yours, you are entitled to configure them (indeed, you must). Howyou do it depends on the OS.

You can run arpwatchd which will email ou whenever a new host arrives onyour LAN and whenever anyone changes IP.
That's a good option. But it'll be too late if they do such activity at night (when I'm not at office) and use it till my next working day at office.

So learn what the mail looks like and write a script to do somethingsensible about it.

You can configure DHCPD to serve out IP addresses, require all yourclients to use DHCP. In your configuration you can hard-code IPaddresses for everyone who's authorised to connect and use a dynamicrange for everyone else. You may choose to not route them outside theLAN, give them IP addresses on a different subnet (they're all on thesame wire) and generally be devious, even to regularly changing theallowed IP addresses!
I hadn't thought of DHCPD. I'll give a look at it. Thank you.

Google for pebble and nocat. They're wireless kit, but probably usefulto you to. Their purpose is to provide public Internet access andrequire everyone to be authenticated. In a free (gratis) environment,people can decline authentication and be authenticated as anonymous,with different access rights.
From what you have said, that could suit you very well. Especially ifyou (want to) allow people to bring their wirelss laptops.
Another gentleman on the debian-isp list provided a better suggestion (as I think). Restricting my customers with MAC address. I think this would be enough for my requirement.

iptables -P FORWARD DROP
iptables -A FORWARD -s xx:xx:xx:xx -o eth0 -j MASQUERADE


I didn't suggest that because it's trivial to fake.
ifconfig eth0 hw fe:ee:fe:fe:ee

man ifconfig # for  more

You do need to know other acceptable MAC addresses, of course.

Besides, hardwiring IP addresses in DHCP uses the MAC address.


--

Cheers
John

-- spambait
1aaaaaaa@computerdatasafe.com.au  Z1aaaaaaa@computerdatasafe.com.au

Reply to:

References:
- Re: help on masquerading
  - From: Ritesh Raj Sarraf <ritesh@atcnet.com.np>

Prev by Date: Re: help on masquerading
Next by Date: Re: dcopserver would not run
Previous by thread: Re: help on masquerading
Next by thread: Re: help on masquerading
Index(es):
- Date
- Thread