[KLUG Members] Routing after validating IP address
Chris Hansen
chris at tweakerpad.com
Wed Nov 23 07:08:57 EST 2005
Komal wrote:
>iptables has a MAC matching option. This is trivial to defeat though.
>I think I would need to control this on your switches (802.1x +
>RADIUS), or
>simple static ARP tables on the switch.
>
>
>
Chris Hansen writes:
Well, if you're a fan of inefficencey I'm sure that your dhcp users will
love this when their leases expire
#!/bin/bash
approved_macip_maps=(`arp -n |grep -vi address |awk '{print $1"_"$3}'`)
check_arp_tables() {
approved_macip_maps=(`echo "$1"`)
for idx in ${approved_macip_maps[@]}i
do
approved_ipaddr=`echo $idx |awk -F _ {'print $1'}`
approved_hwaddr=`echo $idx |awk -F _ {'print $2'}`
ipaddr=`arp -n |grep $approved_ipaddr |awk '{print $1}'`
hwaddr=`arp -n |grep $approved_ipaddr |awk '{print $3}'`
if [ "$approved_ipaddr" = "$ipaddr" ]; then
if ! [ "$approved_hwaddr" = "$hwaddr" ]; then
# IP to MAC map changed
# Put iptables blocking stuff here
else
# Everything copesetic
# Grep your iptables for previously
# blocked ip and unblock here
fi
fi
done
}
while ! [ `runlevel |awk '{print $2}'` = "6" ]
do
check_arp_tables approved_macip_maps
sleep 10000
done
More information about the Members
mailing list