Skip to Content

Network managment Tools

Mohammed Ahmed's picture

Hi all i have 2 question actually i have 2 proplems and i need your help

The case is there is newtrok with 20 user ,I will assign an Ip adress to every MAC , and i want to pervent teh user from chnaging there ip adress ,mean i wanna assin x ip to x MAC and if the user chnage his Ip he don`t pass from the router

any help

there is another thing i wanna give every ip or every MAC certain bandwidth mean i wanna maxmize the bandwidth for every uset to xkp

any help

Best regards

Conceptor's picture

run dhcp

run dhcp and restrict ip with mac address add them manually on your dhcp.conf

  1. host 1 of 20 host host1 { ddns-updates on; ddns-rev-domainname "domain.dom"; ddns-domainname "domain.dom"; hardware ethernet 00:05:5D:93:5E:59; fixed-address 10.0.0.20; }

    next boot users will have pre-assigned ip address according to your dhcp.conf. you can also increase leases time to 15 day or something users will never take shutdown thierpc for more than 15 day,but dhcp will give ips 3ala mazago on this case.

    do you want to have traffic shaping ? or do you want to limit bandwidth on browsing some sites/hosts. if you want it on browsing run squid delay pools to restrict bandwidth on clients when browsing http/ftp. I use it ,it's perfect wee te7'no2 el users wee twafer bandbeta3.


    Diaa Radwan

Tw33Ty's picture

first about ur 1st questions

first about ur 1st questions u have to add this to ur /etc/dhcpd.conf

host haagen { hardware ethernet 08:00:2b:4c:59:23; fixed-address 192.168.1.222; }

i think it's clear, it will assign this 08:00:2b:4c:59:23 to this ip 192.168.1.222

the second question i think u should google for traffic shapping script like wondershaper or something like QOS in speed touch

Mohammed Ahmed's picture

Thank you all

Diaa thank you for your help but that is not what i want

what is the user chnaged his ip he still have access to internet

there is option at cisco switch that assign mac adress to specific port

if you pluged that MAC to another siwtch port it doensot work

i need the same for IP/MAC if he chnaged IP he don`t have acces to internet

the second proplem i wanna restrict bandwith for downloading not for http connection i wanna allow them to browse all sites but when they begin to download they never get rate higher than 5kp or 10 k

thank you very much for your time

Best regards

MSameer's picture

I'll tell you my idea, Not su

I'll tell you my idea, Not sure it'll work:

iptables, Policy to drop all.

allow outside connections if and only if the mac address and the IP combination are valid.

--mac-source and --source

Mohammed Ahmed's picture

i think it may work

i think it may work would u plz give mthe full command

ltes say ip : 192.168.1.1

MAC : 00-0e-50-3e-7f-4f

best regards

MSameer's picture

man iptables

I gave you the basic idea and a tip, You are on your own!

Conceptor's picture

use squid

you can restrict access to internet through many ACL on squid,you have dstdomain ans src ip ,also you have arp acl ,so you can set Acl with arp to be primed or allowed.(I am not sure if this will be applied on overall download rate.).

I thought users will not have permission to change their IP.


Diaa Radwan

Mohammed Ahmed's picture

Squid is not band

Diaa squid is not bandwidth shaper it day yes or no and ownt` give him certain speed

and yes users wil have permission to chnage there ip any ideas on how make is possible if thay chnaged there ip they don`t get ineternet access

people think with me one day u will face it

thnx for your help

Conceptor's picture

squid to have internet access or not


>and yes users wil have permission to chnage there ip any ideas on how
>make is possible if thay chnaged there ip they don`t get ineternet
>access

this why you *may* use squid.

squid could be used to limit http traffic through delay pool,I know it you may use any tc for this.


Diaa Radwan

Pronco's picture

filter by mac address

you can filter by mac address in iptables, and you can use QoS to manage bandwidth

what you cannot do without a managed switch is to prevent users to set a mac address from another computer

btw QoS requires a whole set of commands, and is quite complicated but iptables provides some built in bandwidth limits aside from Qos

you usually use iptables to mark the packets or drop them, or trap them, or do weird things to them


- I'm a code junkie security enthusiast

Mohammed Ahmed's picture

arp

what you cannot do without a managed switch is to prevent users to set a mac address from another computer .. What u mean

if you mean that i can pervent them from doing MAc spoof i think i have scrip for something like that

BTW any one have something against ARP spoof where some one spoof the arp tables and tell all nodes that eh is the gateway or he is certain node so he can sniff the traffic

there is cisco switches against that but any GPL software you know>???

Pronco's picture

!?

you do know browsing implies downloading


- I'm a code junkie security enthusiast

Mohammed Ahmed's picture

i mean certain files types li

i mean certain files types like .exe .zip and the browsing won`t be effected if i maxmized the download to 10k but the downloading will be effected and i ment squid restrictacces to certian web sites

Pronco's picture

well

They will all be effected equally, they'll all slow down, but sure you could do that in pure iptables

sure if you want, or you can just reject requests to those ips


- I'm a code junkie security enthusiast

DarKnesS_WolF's picture

i hope this will help.

peace


Live Free Or Die...

Try IEEE 802.1x on your

Try IEEE 802.1x on your switches and it can add mac and/or ip filters on the different switch ports based on a username and password combination on the pc itself or even it's own mac address. Green Data

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.


Dr. Radut | forum