http://www.net130.com Author: Yang Peng
Not long ago, a friend wanted to bind all his LAN exports to IP and MAC address to prevent illegal users from accessing the Internet. The LAN is using Linux to implement Internet access and management. The entire network includes several buildings that are connected to the total Internet exit by switched temperatures. The network uses a subnet such as 10.0.0.x to 10.0.3.x / 255.255.252.0, with a total capacity of 1016 (254 × 4). There are currently about 400 legal Internet users, which may increase or decrease at any time. Under the Linux system, you want to block the IP with the MAC principle to achieve the management and control of an IP address or IP address segment, which can be implemented through the ARP provided by the Linux system.
Conceive
Decided to use the ARP binding, then consider the implementation method of ARP. The ARP (Address Resolution Protocol) protocol is used to inform the other party's computer, the network device notifies its IP corresponding to the MAC address. If all illegal users have been given the wrong MAC address, they are unable to access this server. Therefore, the ARP binding requires all possible IP addresses to be binded to the MAC address to eliminate illegal users (of course, the user modifies the MAC address except).
After some thinking, I have determined the initial concept. First, use the Linux Shell's cycle method to generate an invalid MAC address matching table containing from 10.0.0.0.1 to 10.0.3.254, called a global table. Then, according to the data of the DHCP server, a legal user's IP and MAC address table are then referred to as a legal table. Next, read the IP of each user in the legal table, and find the matching IP in the global table. If you are found, use the legal user's MAC address to replace the original invalid MAC address. Finally, the legitimate user in this global table matches the correct MAC address, rather than the user matches the invalid MAC address. As long as the user writes this table to the system ARP cache, illegal users cannot pass the Gateway by simple stealing IP methods.
achieve
First, it is generated into an initial global watch. It contains all IP addresses, each IP address matches an illegal MAC address. Its format must be an ARP command to be identified. Initializing the script of the global watch is init, the content is as follows:
#! / bin / bashipprefix = 10.0.count1 = 0WHILE ($ COUNT1 <4)) Do Count2 = 1 while (($ COUNT2 <255)) Do Echo "$ IPPREFIX $ COUNT1. $ count2 00000000001" Let $ count2 = 1 DONE Let $ count1 = 1done
Write the post and archive, use the "chmod x init" command to make the script can be executed. Then run the script init> ARP, you can save the results into the ARP file of the current directory. The file is 10.0.0.1 to 10.0.3.254 All IP addresses with the ARP table bound by the MAC address 00E000000001, which looks like this:
10.0.0.1 00e000000000000000000000000000000000000000000000000000000000000000000001 ...
It should be noted that the shell script syntax is similar to the C language, but the format requires very strict, some places cannot be vacuum, and some must be added. For example, Let $ count1 = 1 cannot be written into Let $ count1 = 1; instead, while (($ count1 <4)) cannot be written as a while ($ count1 <4)), brackets and statements must have spaces. Next, the IP matching table of legitimate users (ie legitimate user table) is obtained through the DHCP server, and it is assumed to be a valid.arp file. Write a script to read the table in a row, each get an IP address record, look for the same IP in the previous ARP file. If you found it, then use the IP's MAC address in Valid.arp to replace the MAC address of the IP in the ARP file. Valid.arp files may be like this:
10.0.0.2 00E00A0F1D2C ... 10.0.1.25 00E0B2C3D5C1 ...
Finding the replacement script for replace, the content is as follows:
#! / bin / bash # defines and initializes three variables, which are legal user tables, global tables, and exchange table validarp = valid.arpglobalarp = arptmpartparp = tmp.arp
Count = 1 # 371 is the total number of legitimate users, that is, the number of Valid.arp tables, and then add 1WHILE ((Count <371)) Do # "Sed -n '" $ count "P' Validarp" command will Time printing the $ count record #, for example, when $ count = 1, the command will print: 10.0.0.2 00a0f1d2c2 # Eval $ getValid will execute the statement included in the $ getValID variable and will The result is given to the variable $ currecgetvalid = "SED -N '" $ count "p' $ validarp" curRec = 'Eval $ getValid' # echo $ curR | awk '{print $ 1}' command will print the first one of $ CURREC content Field, that is, IP address # then we assign this IP address to $ Curip variable getip = "Echo $ CURREC | awk '{print / $ 1}'" curip = 'Eval $ getip'), we get legal users IP and IP and MAC address pairs, next is the most critical step # below the two statements to find items with the obtained IP matching items in the global table, and then add legal users to the IP and MAC address pairs after the record is added. Then remove the old illegal IP and MAC address pairs, and store the results into a new file tmp.arpreplace = "SED -E '/ $ Curip /> / $ currec' -E '/ $ Curip /> / D '$ globalp> $ TMPARP "Eval $ REPLACE then overwrites the global table file with new files and adds the counter 1 for next cycle CP -F $ TMPARP $ GLOBALAP Let Count = 1done
At the end of this script. There are two places that need to be aware of: First, all statements that contain the "eval" command, the use of the retrieval, which is usually located on the Tab key, so variable can get the result of the statement, not a voice It is itself; second, if there is a case where variables and other letters are together, use dual quotes to include variables, otherwise the error variable name, such as the following statement:
GetValid = "Sed -n '" $ count "P' $ Validarp" If you don't have to bring the variable $ counThe, the shell will think that the user's variable is $ countp, not $ count.
After executing Replace, then view the ARP file, you will find that all IP and MAC address pairs existing in the Valid.arp file, where the initialization MAC address has been replaced with the correct MAC address.
Finally, the obtained ARP file is copied to / etc / ethers, and "ARP -F" is run when the system is started, and the IP and MAC addresses can be matched.
to sum up
It is not difficult to find that Linux inherits UNIX's excellent tradition, with powerful and perfect system management methods. As long as the user masters some common commands and tools, it can greatly improve system management efficiency and reduce management work strength. Learning and mastering these methods is what each qualified Linux system administrator should do.
