There is such a need in some systems, I hope that a few IP addresses in the internal network will connect to the Internet, and it is hoped that these IP addresses will not be illegally agreed. You can achieve the following solutions:
First use ipchains or iptables to set up only the legal IP address. An IP / MAC bundle is established for legal IP. To discuss this problem, we first need to understand the working principle of the ARP protocol, the ARP protocol is the abbreviation of address resolution protocol, its role and working principle are as follows: In the underlying network communication, two nodes want to communicate with each other. You must first know the MAC address of the source and the target. In order to quickly find a remote node's MAC address, each local kernel saves an instant query table (called ARP cache). A list of IP addresses in the ARP to the IP address of the remote host to its corresponding MAC address. The address resolution protocol (ARP) cache is a data structure of a resident memory, which is managed and maintained by the kernel of the local system. By default, the ARP cache retains an IP address (and the corresponding MAC address) with a node of the most recent local system and communication. When a remote host's MAC address exists in the ARP cache of the local host, the IP address of the conversion remote node will not encounter problems with the MAC address. However, in many cases, how does the remote host's MAC address does not exist in the local ARP cache? In a known IP address of a remote host, the MAC address is not in the local ARP cache, the following procedures are used to get the MAC address of the remote node: the local host sends a broadcast package to all nodes in the network, ask if there is The corresponding IP address. A node (only one) will answer this ARP broadcast information. The MAC address of this remote host will be included in the packet responded. After receiving this return package, the local node records the MAC address of the remote node in the local ARP cache. If we establish the IP / Mac correspondence to fixed, it is to establish a static MAC correspondence for those legal IP addresses, so even if the illegal user steals the IP address Linux router, it will not pass The ARP protocol asks its MAC address but uses Linux's static MAC addresses, which makes a response data so that IP will not get a response data so that the network is not available. Establishing a static IP / MAC bundle is: establishing the / etc / ethers file, which contains the correct IP / MAC correspondence, the format is as follows: 192.168.2.32 08: 00: 4E: B0: 24: 47 Then / ETC / RC .d / rc.local Add: ARP -F can be equally limited to IP and Mac simultaneously, using this feature to simultaneously limit the IP address and MAC address.
