Linux client MAC address control

As a server operating system, Linux has stable services and powerful functions. Since the Linux 2.4 kernel, the NetFilter package filtering architecture has been built in. It has a powerful data packet filtering function to ensure that it is more handy when used as a software router. For example, many small and medium-sized enterprises use Linux software routers to connect their internal networks to the Internet, which is not inferior to some proprietary systems, but also advantageous in terms of function customization and application expansion.

In accessing the Internet, different users should have different permissions. To prevent permission theft, it is very important for users to identify them. Currently, common identification methods include user name/password identification, user IP Address Identification, and user network card physical address (MAC address) identification.

User name/password-based authentication is a traditional recognition method. It is cumbersome to manage and use, and the client also needs to be configured. Most office users cannot complete such configuration independently, and password protection is not enough. This method often increases the burden on the network administrator and fails to achieve the purpose of authentication.

Although IP Address Identification can achieve zero client settings, it is easy to modify the IP address and cannot prevent IP address theft, so there is basically no security.

Check the physical address of the network card. Because a common user cannot modify the MAC address of the NIC, and it is the same as the IP address, it can be used to identify the user and does not require any configuration on the client. Even if the network changes, such as resizing or rebuilding, the Client IP address or user name does not affect the MAC address. Therefore, it is a simple and effective way to identify users by judging the client's MAC address.

Next we will discuss the MAC address transparent authentication method when Linux is used as an Internet gateway and integrated with the proxy service. Currently, MAC address recognition methods include using the mac matching module of iptables, using the mac address check function of the proxy server, and using static ARP tables for control.

MAC matching module using iptables

In the Linux 2.4 kernel, the package filtering module has undergone fundamental changes and is completely controlled by the kernel, greatly improving the efficiency. Iptables is also used to replace ipchains. In the standard release of iptables, a module with MAC address matching is included. We can use the iptables-m mac command to load it.

Assume that the LAN is connected to the Internet through A Linux gateway. We assign the IP address 192.168.1.25/32 to user A with Internet access permissions. the MAC address is 00: 02: 01: 50: bb: 53. According to the TCP/IP principle, the final encapsulated IP packet actually has a field containing the MAC address of the NIC. Therefore, we can check this field to prevent IP address theft. In this example, check the packets from 192.168.1.25/32 on the Linux gateway to see if the MAC addresses of these packets are 00: 02: 01: 50: bb: 53. The command is as follows:

# Set the default PREROUTING chain rule to discard to prevent all packets from passing through.
Iptables-t nat-P PREROUTING DROP
# Check the MAC address of a user whose IP address is 192.168.1.25/32. If it does not match the specified MAC address,
It indicates that packets originating from 192.168.1.25 are not sent from the NIC, that is, illegal users, and they should be discarded.
Iptables-t nat-a prerouting-s 192.168.1.25-m mac-source!
00: 02: 01: 50: bb: 53-j DROP
# If the MAC address matches, the package will arrive here and be allowed to pass.
Iptables-t nat-a prerouting-s 192.168.1.25-j ACCEPT
 

In this way, even if an unauthorized user B sets its own IP address to 192.168.1.25 (this is common because the local settings always give priority to DHCP ), when A package passes through the gateway, it still cannot have the permissions of user A because the MAC address does not match. This achieves the goal of identifying users.

Use the proxy server's MAC address check function

In Linux, most proxy servers are Squid and Socks5. The following uses Squid as an example to describe how to check the MAC address of the client. Because Squid's RPM release usually does not enable this feature, this version uses MAC matching to prompt incorrect acl type, so we must manually compile the source code. First download squid-2.x-src.tar.gz, then use the tar xvfz squid....tar.gz command to unbind the source code, enter the expanded subdirectory, and configure the compilation options with./configure. In addition to the features required by you, you can add the parameter-enable-arp-acl to allow you to set the acl (Access Control List) to arp (MAC address matching. Then execute make and make install.

After the installation is complete, you can modify squid. conf to match the MAC address, as shown below:

# Set an accept_group list. The MAC address of this user is 00: 02: 01: 50: bb: 53.
Acl access_group arp 00: 02: 01: 50: bb: 53
# Set the all list according to the minimum security requirements, including the source IP address 0/0, that is, all users.
Acl all src 0/0
# Allow normal access to the accept_group
Http_access allow accept_group
# Prohibit all other unauthorized access
Http_access deny all
 

Start Squid and configure the correct cache directory and port forwarding.

When a Squid receives a request, it checks its MAC address no matter which IP address or host the request is from, and only allows the MAC address to be 00: 02: 01: 50: bb: 53. In this way, zero-configuration user identification can be implemented on the client. For Linux gateways that use iptables + Squid as transparent proxy, you can select iptables or Squid to identify users.

Control Using static ARP tables

We know that ARP (Address Resolution Protocol) is used as the underlying Protocol for converting IP addresses to physical addresses. In Ethernet, all access to the IP address is eventually converted to access to the MAC address of the NIC.

Assume that if host A's ARP list does not match the IP address of host B with the MAC address correctly, packets sent from host A to host B will be sent to the wrong MAC address, of course, it cannot reach B smoothly. The result is that A and B cannot communicate at all. In Linux, arp commands can be used to control ARP conversion, that is, IP-to-MAC conversion. Therefore, you can use this function to match your MAC address. Next, let's take a look at the arp command usage.

Input arp will display all current ARP conversion records, similar to the following:

Address HWtype HWaddress Flags Mask Iface
Www.myhome.net ether 00: 06: 29: 57: 16: F5 C eth0
218.200.80.177 ether 00: 01: 30: F4: 32: 40 C eth1
Ntc9.myhome.net ether 00: 02: 1E: F1: 92: C2 C eth0
192.168.1.25 ether 00: 02: 1E: F1: 92: C2 C eth0

 

From this we can see that the IP addresses reserved by the current system correspond to MAC addresses one by one, and indicate the hardware type (Hwtype) and the interfaces used for communication (Iface ). However, these are dynamically generated without manual intervention. What we need to do is to manually intervene in this process.

Another important feature of arp commands is to manually change the relationship. In addition, this command can also read ARP records in text files. The default file is/etc/ethers. That is to say, when ARP-f is input, the system will read the/etc/ethers file and replace the current ARP record of the system with the project. Assume that the content of the/etc/ethers file is as follows:

192.168.1.25 00: 02: 01: 50: bb: 53
 

Then run arp-f.

At this time, we can view the system ARP table and find that no matter what the original MAC address of 192.168.0.25 is, it will be replaced by the new one:

Address HWtype HWaddress Flags Mask Iface
Www.myhome.net ether 00: 06: 29: 57: 16: F5 C eth0
218.200.80.177 ether 00: 01: 30: F4: 32: 40 C eth1
Ntc9.myhome.net ether 00: 02: 1E: F1: 92: C2 C eth0
192.168.1.25 ether 00: 02: 01: 50: bb: 53 C eth0

 

At this time, the MAC address of the data packet sent from the local machine to 192.168.1.25 will be changed from 00: 02: 1E: F1: 92: C2 to 00: 02: 01: 50: bb: 53. Obviously, if the MAC address of the network card where 192.168.1.25 is located is not 00: 02: 01: 50: bb: 53, the packets cannot reach the correct destination, and they cannot communicate. This achieves the goal of identifying illegal users.

Of course, there are more methods to control the MAC address. For example, you can use the port management function of the switch to identify users. According to the principle of the switch, it directly sends data to the corresponding port, so you must keep a database that contains the MAC address of the NIC connected to all ports, it is theoretically feasible to control the MAC address used by each port. Most high-end switches, such as the 3Com SuperStack series, have such features. The specific operation is related to the vswitch model, which is not described here.

Finally, we should remind you that MAC address control is not absolutely safe. Just as there is no password in the world that cannot be completely unlocked, the so-called security is relative to a specific environment. Currently, many NICs support MAC address modification software, and Linux and Windows can also modify this physical address. However, because this method is relatively stable, the complicated client settings are discarded, completely transparent to users, and highly operable, it is safe to some extent.