[KLUG Members] Routing after validating IP address
Mike Williams
knightperson at zuzax.com
Wed Nov 23 05:01:58 EST 2005
Komal wrote:
>Is there a way to configure Linux to forward packets only if the IP
>address validates against a IP address-to MAC table?
>
>I have several machines which have priviledges based on their IP
>address
>like higher bandwidth, outgoing SMTP, etc. Now it is entirely
>possible,
>that when any of these machines are down (typcally at the end of the
>day or early morning), someone in the office can statically set their
>IP address to any of these and enjoy these priviledges.
>
>How do I validate IP addresses before routing? I know I can do this by
>creating a userspace netfilter process which marks packets after
>validation, but is there any out of the box solution?
>
>
The short answer is "you don't use IP addresses for security". It's far
too easy to change or spoof an IP address. You're going to have to try
something else. Have these elevated privileges only available through
an authenticating proxy server. Or put these machines on a separate
network segment (or VLAN?), and lock the wiring closet so nobody moves
the wires. It might even be possible to set up smart card
authentication so that nobody gets the elevated privileges unless they
have the card, depending on exactly what paranoia level you're after.
More information about the Members
mailing list