|
|
|
|
|
|
|
|
|
||
|
|
||
|
Be a Commerce Partner |
Setting Up a Linux-Based Firewall With DHCP
ISP owners share the basics of firewall configuration, and also discuss the benefits of getting subscribers to use DHCP instead of static IP addresses.
| [May 12, 2004] |
 |
On the ISP-Tech list in May, GB asked a question:
"I'm looking at some options how to assign IP addresses to the clients and control who gets what. DHCP seems to be the least hassle from the client's point of view since they don't need to remember static IP, gateway, DNS, etc. information.
But there is nothing that prevents somebody from bypassing DHCP and just assign himself an IP address on the network after he knows what to use for DNS, default gateway and such.
I'd like to force the use of DHCP. This way we ensure an IP address is assigned that isn't in use yet and we can control who gets an IP address by keeping a database of allowed MAC addresses. Then we'll have to somehow deal with MAC address spoofing too, but that isn't my immediate concern. Then some system would be needed to allow this computer access to the Internet after a successful DHCP request. Assigning himself a valid IP address without going through a DHCP request would result in his packets not going anywhere. Maybe the DHCP server can tie into a firewall whose default policy is to drop packets and only pass packets to and from a valid IP/MAC combination.
Any suggestions how I might go about this would be appreciated."
[VS replied] "How big is your DHCP pool? You can tie in DHCP leases to a firewall (say IPTABLES), but without lease the only thing you would allow would be DHCP request. This is not difficult to do. I have setup something similar using a vendor-based solution like Bluesocket. But it is not difficult to build from scratch. With the leases file with a Perl/C or C++ program, just lseek the changes and update IPTABLES. You can also set the IPTABLES filter by MAC address. This is assuming that a Linux box is acting as a router.
Cisco has some built in features that I had researched as well for using their gear (with good money) behind it."
GB replied, and added another question:
"Right now I've allocated a subnet of 254 addresses for DHCP which will be enough for a while.
Correct, it's a Linux box. Does anybody have experience with the performance of a Linux kernel based firewall? My experiences with only a few dozen rules has been just fine, but I've never gone much beyond that, certainly not hundreds of rules.
Then there is a potential problem of server crashes so all rules are wiped and the DHCP lease file may or may not be trustworthy. It'd be a bad day having to call all our clients "please renew your IP address so get your connection working again" (which usually translates to "please reboot your computer" depending the type of client). I suppose periodically saving the current iptables rules could help out there."
[JS answered] "I think you'll find that even a 500 MHz Intel Celeron processor will be more than enough for your needs. I've had iptables running with a few thousand rules without any issue. It was on a system which was had a NIC connected to a Cisco with 2 T-1s, and also had 2 T-1s via pppd/Sangoma cards. As well as running MRTG, Squid, and CBQ. Ran totally perfect and even had an uptime only a few weeks short of 2 years when the damn hard drive went.
I have a wireless ISP. Here's how I filter:
I have created chains called IN and OUT, which contain rules for each customer ie. me_in goes in IN, and me_out goes in out.
All traffic forwarded to the Internet goes to -me OUT, all traffic from internet to clients -me IN.
me_out chains has a rule to only allow my MAC address to send out on the IP matched in OUT which directed the packet to this chain.
So in order for someone to get on my network as me, they would have to have the right MAC address to go with the IP they chose to use, or it would be useless."
[GB was happy] "That's exactly the first thing that came to mind as well which I've been working towards. Good to know the number of rules is basically of no importance performance wise. The current server won't need to be upgraded. Thanks for the info!"
[ER added] "Put all the rules in a file and load the rules from /etc/rc.d/rc.local (or similar). Edit this script and rerun this script file after changes. This file should first clear all rules load modules and then your rules. See:
http://linuxselfhelp.com/HOWTO/IP-Masquerade-HOWTO/stronger-firewall-examples.html"
—End
| Related articles: | |||
| [Sept. 30, 2003] | Beware the Bandwidth Thieves | ||
| [Oct. 25, 2002] | Taming Wireless Security Blues with Bluesocket | ||
| [Feb. 8, 2001] | The
Remote Access Conundrum Part 3: Dynamic Addressing |
||
ISP-Planet's
RSS feed
