Linux acts as a server operating system with a stable service, powerful feature. Since the LINUX 2.4 core, there is a built-in Netfilter package filter architecture. It thus has a powerful packet filtering function, ensuring that it should be more handless when used as a software router. For example, many SMEs use the Linux software router to access internal networks to the Internet, which is not inferior to certain proprietary systems, and more advantageous in terms of functional customization, application extensions. In accessing the Internet, different users should have different permissions, and is very important to the user's identification of users in order to prevent the problem of limitation. Currently, common identification methods include user name / password identification, user IP address identification, and user network card physical address (MAC address) identification. Certification based on username / password is a traditional identification method. It is more cumbersome in management and use, and the client also needs to configure. Most office users cannot independently complete such configurations, and the protection of the password is not enough. This approach often aggravates the burden on the network administrator and does not meet the purpose of the certification. Although IP address recognition can make client zero settings, since IP address is convenient, IP address is unable to prevent IP address, so it is basically unsafe. Let's see the physical address of the NIC. Since ordinary users cannot modify the MAC address of the NIC, it is the only one and the IP address, it can be used to identify the user and do not require any configuration. Even if the network changes, such as expansion, modification, etc., the client IP address or username change does not affect the MAC address. Therefore, by judging the method of the client MAC address to identify the user, realizing so-called transparent authentication is a simple, effective choice. Let's discuss the MAC address transparent authentication method when Linux is used as an Internet gateway and integrates a proxy service. At present, the method of identifying the user through the MAC address mainly has the MAC matching module using iptables, using the proxy server's own MAC address check function and three types with static ARP tables.
MAC matching module using iptables
In the Linux 2.4 kernel, the package filter module has undergone fundamental changes, which is completely improved by kernel control and efficiency. Controlling the tools for kernel pack filtration, also replaced IPchains with iptables. In the standard release of iptables, the MAC address matches modules. We can load it with the iptables -m mac command. Suppose the local area network accesss to the Internet through a Linux gateway, we allocate IP address 192.168.1.25/32 for A users with Internet privileges, and its MAC address is 00: 02: 02: 02: BB: 53. According to the TCP / IP principle, the final packaged IP packet actually has a field containing the NIC MAC address. Therefore, we can reach the purpose of preventing the IP by checking this field. In this example, the package from 192.168.1.25/32 is checked on the Linux gateway to see if the MAC address of these packages is 00:02: 01: 50: BB: 53. The specific command is as follows:
# Set the default rules for the preording chain to discard to prohibit all packages.
iptables -t nat -p prerouting drop
# Check the user's MAC address of the IP address of 192.168.1.25/32. If you don't match the specified MAC address,
Note The package from 192.168.1.25 is not issued from the NIC, that is, illegal users, these packages should be discarded.
iptables -t nat -a preording -s 192.168.1.25 -m mac-moac-source!
00: 02: 01: 50: BB: 53 -J DROP
# If the MAC address matches, the package can reach here and is allowed to pass.
iptables -t nat -a preording -s 192.168.1.25 -j accept, even if there is an unauthorized user B you set up the IP address is 192.168.1.25 (this situation is very common) ), When the package is not matched by the gateway, he does not have a user's permissions. This achieves the purpose of identifying the user.
Use the proxy server's own MAC address check function
More proxy servers using more Linux are Squid and Socks5. Here, Squid is an example, explaining how to check the client MAC address. Since Squid's RPM release is usually not enabled, this version uses MAC matching to prompt the error ACL type, so we must manually compile the source code. First download Squid-2.x-src.tar.gz, then use the tar xvfz squid .... tar.gz command until the source code is entered into the expanded subdirectory, with ./configure configuration compile options. In addition to enabling the features you need, plus the parameter -ENABLE-ARP-ACL, that is, the ACL (Access Control List is allowed to set the ARP (MAC address match) mode. Then execute make, make install. After the installation is complete, you can modify Squid.conf to match the MAC address, as shown below:
# Set an accept_group list, the user's MAC address is 00: 02: 01: 50: BB: 53.
ACL Access_Group ARP 00: 02: 01: 50: BB: 53
# Set the ALL list according to the minimum safety requirements, including the source IP address of 0/0, that is, all users.
ACL ALL SRC 0/0
# Allow Accept_Group group to be accessed normally
HTTP_ACCESS Allow Accept_group
# Do not have all other unauthorized access
HTTP_ACCESS DENY ALL
Start Squid and configure the correct cache directory and port forwarding. When Squid receives a request, whether the user is requested from which IP address or host comes from, it checks its MAC address, and only the MAC address is 00: 02: 01: 50: BB: 53 request. This also enables user identification of client zero configuration. For Linux gateways that use iptables squid to make a transparent agent, IPTABLES or SQUID can be selected to identify users.
Control with static ARP tables
We know that ARP (Address Resolution Protocol, address translation protocol) is used as a underlying protocol for the conversion of IP addresses to physical addresses. In Ethernet, all access to IP is ultimately transformed into access to NIC MAC addresses. Imagine if the ARP list of the host A is incorrect to the IP address to the host B, and the A sent to the B packet will turn to the wrong MAC address, of course, it is unable to reach B, the result is A Can't communicate with B at all. Linux can control ARP conversion through the ARP command, ie IP to MAC conversion. Therefore, this feature can also be used to match the user MAC address. Let's take a look at the usage of the ARP command. Input ARP will display all current ARP conversion records, similar to this:
AddressHWtypeHWaddressFlags MaskIfacewww.myhome.netether00: 06: 29: 57: 16: F5Ceth0218.200.80.177ether00: 01: 30: F4: 32: 40Ceth1ntc9.myhome.netether00: 02: 1E: F1: 92: C2Ceth0192.168.1.25ether00 : 02: 1E: F1: 92: C2Ceth0 This can be seen that the IP address reserved by the current system corresponds to the MAC address and indicates the interface (IFACE) used by the hardware type (hwtype) and communication. However, these are dynamically generated, no need to manually intervene. What we have to do is manually intervene. Another important feature we need to use the ARP command is to manually change this correspondence. In addition, this command can also read the ARP record in the text file, and its default file is / etc / ethers. That is, when entering ARP-F, the system will read the / etc / ethers and replace the system's current ARP record. Assume that the / etc / ethers file is as follows:
192.168.1.25 00: 02: 01: 50: BB: 53
Then execute the command ARP -F. At this time, we look at the system ARP table, which will find what the corresponding MAC address corresponding to 192.168.0.25 will be replaced by the new.
AddressHWtypeHWaddressFlags MaskIfacewww.myhome.netether00: 06: 29: 57: 16: F5Ceth0218.200.80.177ether00: 01: 30: F4: 32: 40Ceth1ntc9.myhome.netether00: 02: 1E: F1: 92: C2Ceth0192.168.1.25ether00 : 02: 01: 50: BB: 53Ceth0
At this point, the packet target MAC address issued to 192.168.1.25 will be changed from the original 00: 02: 1E: F1: 92: C2 to 00: 02: 01: 50: BB: 53. Obviously, if the MAC address of the network card in 192.168.1.25 is not 00: 02: 01: 50: BB: 53, the packet cannot reach the correct destination, then they cannot communicate. This also achieved the purpose of identifying illegal users. Of course, the method for controlling the MAC address is not allowed, for example, the port management function of the switch can be used to identify the user. Depending on the principle of the switch, it is directly sent to the corresponding port, then there must be a database, including the MAC address of all port connected to the network card, which can be seen that the MAC address used by each port is fully feasible. . Most mid-high-end switches such as 3COM Superstack series, all have this function. The specific operation is related to the switch model, and details will not be described here. Finally, remind the MAC address control is not absolute insurance. Just as there is no password in this world, the so-called security is relative to a particular environment. Now, many network cards support software modifications for MAC addresses, Linux and Windows itself have a way to modify this physical address. However, this approach is relatively stable, abandoning the cumbersome client settings, is completely transparent to the user, and has strong operability, so some extent is safe.
Http://www.youren.com/Article/compute/software/linux/200503/2623.html
