Ban illegal IP of the Linux system: Li Rui Zhi Yang Peng issued a document time: 2004.10.15
Not long ago, a friend wanted to bind all his LAN exports to IP and MAC address to prevent illegal users from accessing the Internet. The LAN is using Linux to implement Internet access and management. The entire network includes several buildings that are connected to the total Internet exit by switched temperatures. The network uses a subnet such as 10.0.0.x to 10.0.3.x / 255.255.252.0, with a total capacity of 1016 (254 × 4). There are currently about 400 legal Internet users, which may increase or decrease at any time. Under the Linux system, you want to block the IP with the MAC principle to achieve the management and control of an IP address or IP address segment, which can be implemented through the ARP provided by the Linux system. Conception Decided to use the ARP binding, then consider the implementation method of ARP. The ARP (Address Resolution Protocol) protocol is used to inform the other party's computer, the network device notifies its IP corresponding to the MAC address. If all illegal users have been given the wrong MAC address, they are unable to access this server. Therefore, the ARP binding requires all possible IP addresses to be binded to the MAC address to eliminate illegal users (of course, the user modifies the MAC address except). After some thinking, I have determined the initial concept. First, use the Linux Shell's cycle method to generate an invalid MAC address matching table containing from 10.0.0.0.1 to 10.0.3.254, called a global table. Then, according to the data of the DHCP server, a legal user's IP and MAC address table are then referred to as a legal table. Next, read the IP of each user in the legal table, and find the matching IP in the global table. If you are found, use the legal user's MAC address to replace the original invalid MAC address. Finally, the legitimate user in this global table matches the correct MAC address, rather than the user matches the invalid MAC address. As long as the user writes this table to the system ARP cache, illegal users cannot pass the Gateway by simple stealing IP methods. Realize first, a global watch. It contains all IP addresses, each IP address matches an illegal MAC address. Its format must be an ARP command to be identified. Initializing the script of the global watch is init, the content is as follows:
#! / bin / bash
IppRefix = 10.0.
Count1 = 0
While ($ count1 <4)))
DO
Count2 = 1
While ($ count2 <255)))
DO
Echo "$ IPPREFIX $ COUNT1. $ count2 00e000000001"
Let $ count2 = 1
DONE
Let $ count1 = 1
DONE
Write the post and archive, use the "chmod x init" command to make the script can be executed. Then run the script init> ARP, you can save the results into the ARP file of the current directory. The file is 10.0.0.1 to 10.0.3.254 All IP addresses with the ARP table bound by the MAC address 00E000000001, which looks like this:
10.0.0.1 00e000000001
10.0.0.2 00e000000001
10.0.0.3 00e000000001
10.0.0.4 00e000000001
10.0.0.5 00E000000001
...
It should be noted that the shell script syntax is similar to the C language, but the format requires very strict, some places cannot be vacuum, and some must be added. For example, Let $ count1 = 1 cannot be written into Let $ count1 = 1; instead, while (($ count1 <4)) cannot be written as a while ($ count1 <4)), brackets and statements must have spaces. Next, the IP matching table of legitimate users (ie legitimate user table) is obtained through the DHCP server, and it is assumed to be a valid.arp file. Write a script to read the table in a row, each get an IP address record, look for the same IP in the previous ARP file. If you found it, then use the IP's MAC address in Valid.arp to replace the MAC address of the IP in the ARP file. Valid.arp files may be like this: 10.0.0.2 00e00A0F1D2C
...
10.0.1.25 00E0B2C3D5C1
...
Finding the replacement script for replace, the content is as follows:
#! / bin / bash
# Define and initialize three variables, which are legal user tables, global tables, and exchanges for exchange
Validarp = valid.arp
Globalarp = ARP
TmpARP = TMP.ARP
Count = 1
# 371 is the total number of legitimate users, that is, the number of records of the valid.arp table, then add 1
While (count <371))
DO
# "Sed -n '" $ count "P' Validarp" command to print each time you print a Valid.arp file record
# For example, when $ count = 1, the command will print: 10.0.0.2 00a00A0F1D2C2
# Eval $ getValid will execute the statement included in the $ getValID variable and assign the result to the variable $ CURREC
GetValid = "Sed -n '" $ count "p' $ validarp"
Currec = Eval $ getValid '
# Echo $ curRec | awk '{print $ 1}' command will print the first field of $ CURREC content, that is, IP address
#T then we assign this IP address to $ Curip variable
Getip = "Echo $ CURREC | awk '{print / $ 1}'"
Curip = 'Eval $ getip'
# This we get the IP and IP and MAC address pairs of legitimate users, next is the most critical step
# The following two statements look for items that match the obtained IP in the global table, and then add legal users to IP after the record is added.
And the MAC address pair, then delete the old illegal IP and MAC address pairs, and store the results into a new file TMP.ARP
Replace = "SED -E '/ $ CURIP /> / A / $ CURREC' - E '/ $ Curip /> / D' $ GLOBALP> $ TMPARP"
Eval $ REPLACE then overwrites the global table file with the new file and add the counter 1 for the next loop
CP -F $ TMPARP $ GLOBALARP
Let count = 1
DONE
