On Thu, 2004-01-29 at 10:27, Szemerédy Gábor wrote: > Hello list members! > We have a server with its public IP address and there is also a subnet > with > local addresses (192.168.0.x) on it. > We would like to limit the access from certain IP address so that it > can > > be > established only if the request comes from the same workstation. > Something like capturing the workstations MAC address to its IP > address > , > so that the user can browse the internet only if the MAC address of > the > workstation and the IP address are equal to the predefined values. > We do traffic accounting by IP address and would like to prevent using > the account of an other workstation by changing the IP address. > (In current situation one can browse the internet with certain IP > address and then > change the IP address and use the account of an other person). > Is there any solution? You might be able to combine the source IP address and mac matching rules using iptables something like: iptables -A FORWARD -s 10.0.0.5 -m mac --mac-source 00:AA:BB:CC:DD:EE -j ACCEPT (not tested) It would mean a separate rule for each host on the local side of the firewall, that would need editing each time the NIC or client computer is changed. Proxy ARP and/or bridging may also provide a solution (try http://lartc.org/howto/lartc.bridging.proxy-arp.html). Alternatively, use DHCP and eliminate root/administrator access by the users (per Alexander). Bob...
