[KLUG Members] Routing after validating IP address

[Mike Williams]

Komal wrote:

>Is there a way to configure Linux to forward packets only if the IP
>address validates against a IP address-to MAC table?
>
>I have several machines which have priviledges based on their IP
>address
>like higher bandwidth, outgoing SMTP, etc. Now it is entirely
>possible,
>that when any of these machines are down (typcally at the end of the
>day or early morning), someone in the office can statically set their
>IP address to any of these and enjoy these priviledges.
>
>How do I validate IP addresses before routing? I know I can do this by
>creating a userspace netfilter process which marks packets after
>validation, but is there any out of the box solution?
>  
>
The short answer is "you don't use IP addresses for security".  It's far 
too easy to change or spoof an IP address.  You're going to have to try 
something else.  Have these elevated privileges only available through 
an authenticating proxy server.  Or put these machines on a separate 
network segment (or VLAN?), and lock the wiring closet so nobody moves 
the wires.  It might even be possible to set up smart card 
authentication so that nobody gets the elevated privileges unless they 
have the card, depending on exactly what paranoia level you're after.