Topic: Filter with MAC Address is it possible on smeserver

[Daniel B.]

Using iptables/ebtables is better than just playing with dhcp, as it prevents simple static IP assignment. But if you really want something serious, then you need to deploy 802.1x auth everywhere. And this is out of scope for SME as it's mainly configured at the switches layer. SME should be able to act as a radius server for those though

[Stefano]

thank you Dani for your explanation..

so, just using SME we'd:
- add a key to enable just reserved IP (it will comment the "range" line as explained above)
- add a fragment to the masq template to permit traffic just from known mac addresses (we have them listed in hosts db)

something like

Code: [Select]

# Create the DHCP_clients chain in the 'raw' table
iptables -t raw -N DHCP_clients

# Incoming DHCP, pass to chain processing DHCP
iptables -t raw -A PREROUTING -p udp --dport 67 -j DHCP_clients

# Allowed DHCP clients
iptables -t raw -A DHCP_clients -m mac --mac-source 00:11:22:33:44:55 -j ACCEPT
iptables -t raw -A DHCP_clients -m mac --mac-source 00:11:22:33:44:56 -j ACCEPT
iptables -t raw -A DHCP_clients -m mac --mac-source 00:11:22:33:44:57 -j ACCEPT

# Deny other clients not listed above
iptables -t raw -A DHCP_clients -j DROP
(found on http://serverfault.com/questions/302445/how-do-i-mac-filter-with-dhcp-server)

[Daniel B.]

so, just using SME we'd:
- add a key to enable just reserved IP (it will comment the "range" line as explained above)
- add a fragment to the masq template to permit traffic just from known mac addresses (we have them listed in hosts db)

No need to do both, if we filter by MAC address, it doesn't matter if clients get an IP from the dynamic pool. As for the custom template, yes, something like this (but it needs to be tested and inserted correctly in the masq templates