(?) Hey MAC, sign in before you login

Allowing only known ethernet cards to use the NAT

From Carl Pender

Answered By Yann Vernier, Faber Fedor, Jay R. Ashworth, Ben Okopnik, Thomas Adam, Heather Stern

Hi, I have a Suse7.3 Linux PC acting as a gateway with an Apache server running. I have a web site set up and what I want to do is allow only certain MAC addresses onto the network as I choose. I have a script that adds certain MAC addresses onto the network which works perfectly if I type the MAC address in manually but I need to automate it. I'll nearly there I think but I need a little help.
Here's the question I asked someone on www.allexperts.com but unfortunately the person could [not] help me. Would you mind having a quick look at it and if anything jumps to your mind you might let me know.
Here goes.... I have a acript that matches an IP address with it's respective MAC address via the 'arp' command. The script is as follows:
#!/bin/bash

sudo arp > /usr/local/apache/logs/users.txt

sudo awk '{if ($1 =="157.190.66.1" print $3}'
/usr/local/apache/logs/users.txt |
/usr/local/apache/cgi-bin/add
Here is a typical output from the arp command:
Address HWtype HWaddress Flags Mask Iface
157.190.66.13 ether 00:10:5A:B0:30:ED C eth0
157.190.66.218 ether 00:10:5A:5B:6A:11 C eth0
157.190.66.1 ether 00:60:5C:2F:5E:00 C eth0
As you can see I send this to a text file from which I capture the MAC address for the respective IP address ("157.190.66.1") and then send this MAC address to another script, called "add", which allows this MAC address onto the network. This works perfectly when I do it from a shell with the ip address typed in maually.
My problem is that instead of actually typing in the IP address (e.g "157.190.66.1"), I want to be able to pipe the remote IP address of the user that is accessing my web page at the time to this script as an input.
In order to do this, I tried:
#!/bin/bash

read ip_address

sudo arp > /usr/local/apache/logs/users.txt
sudo awk '{if ($1 ==$ip_address) print $3}'
/usr/local/apache/logs/users.txt |
/usr/local/apache/cgi-bin/add
But I'm afraid this doesn't work. I'm wondering where I'm going wrong. I also tried putting quotations around the variable $ip_address but that doesn't work either. On my CGI script I have the line 'echo "$RENOTE_ADDR" | /usr/local/apache/cgi/bin/change' to pipe the ip address of the user. I know this is working because if I include the line 'echo "$ip_address"' in my script then the ip address is echoed to the screen
I hope that I have made myself clear.
Thanks Carl
(!) [Yann] This is a rather simple case of quoting the wrong things. What you want is probably something like '{if ($1 =3D=3D"'"$ip_address"'") print $3}'
That is, first a " (two apostrophes) quote block making sure $1 and a " is passed on to awk unchanged, then a "" (two doublequotes) quote block keeping any spaces in $ip_address (not needed with your data, but good practice), then another " (two apostrophes) block with the rest of the line. The primary difference between " and "" as far as the shell is concerned is that $variable and such are expanded within "" but not within ".
Also, your script could be a lot more efficient, and doesn't need superuser privileges:
/usr/sbin/arp -n $ip_address|awk "/^$ip_address/ {print \$3}"
This isn't the most elegant solution either, but somewhat tighter. '$1 =3D=3D "'$ip_address'" {print $3}' works the same.
By the way, it's quite possible you don't need to write your own tools for a job like this, although it is a good way to learn. Have you examined arpwatch? (http://www-nrg.ee.lbl.gov and scroll down the page a bit)

Same fellow, slightly changed situation. -- Heather

(?) Hi I have a Suse 7.3 Linux PC acting as a gateway for a wireless network. I have a script to allows users onto the network depending on their MAC addresses and another to stop them having access to the network.

What I want to do is let them onto to the network and then 5 hours later, log them off again. I was told to use something like this:

#!/bin/bash

/usr/local/apache/cgi-bin/add

sleep 18000

/usr/local/apache/cgi-bin/remove

This is no good to me because if I put the program to sleep it will lock up. I cant have it locking up because then if another user logs on the program wll be locked up so they wont be able to access the net.

Do you habe any suggestions how to do this?

Thanking you in advance Carl Pender

(!) [Faber] You don't say whether you want them to be logged off after five continuous hours of being logged in or to restrict them from being able to logon outside of a five hour period.
Either way, why not use the at command? In their ~/.profile, place a line that says something like
at +5 hours < /usr/local/apache/cgi-bin/remove this_mac_address
(RTFM To get exact syntax, your script may need a wrapper, etc.)
(!) [Ben] It sounds a bit more complex than that, Faber (actually, the problem spec is mostly undefined but this sounds like a reasonable guess.) What happens if somebody logs on, spends 4 hours and 59 minutes connected, disconnects, then reconnects? Is it 5 hours in every 24, 5 hours from midnight to midnight, 5 hours a week, 5 cumulative hours, 5 contiguous hours?... There are various ERP packages that do this kind of thing, but they're pretty big - unfortunately, I can't think of anything small at the moment although logic says that there's got to be something.
(!) [jra] ISTM one of the getty's has that stuff built in... or maybe it's xinetd.
For, as Ben says, some subset of the possible problem space.

(?) Well firstly, it a wireless Hot-spot kind of thing that I'm trying to achieve here so the users dont have profiles.

Secondly, I have a kind of "mock" billing system in place where the user enters credit card details (mock) and then they are allowed access onto the network for five hours. So I want them to be no longer have access to the network when that five hours has expired.

This is only for demonstartion purposes, so dont worry I'm not going to use this in a real life situation where I'll be handling credit card info.

I hope it is clearer now

Thanks Carl

(!) [Ben] Perhaps you don't fully realize what you're asking for, Carl. Once you consider the degenerate cases of possible login schedules, you'll realize that this is a large, complex task (you can define it to be much simpler, but you haven't done so.)
(!) [Thomas] Indeed, this is a security risk.... the closest I ever got to modifying the "login" sources was to make the password entry field echo "*"'s as one types in their password. I deleted it afterwards mind!
(!) [Ben] Just as an example of a simple case, you could do this with PAM - which would take a fair bit of study on your part - by creating a one-time temporary account for each user that logs in. PAM would do a "runX" via "pam_filter" (read "The Linux-PAM System Administrators' Guide", http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html) which would invoke an "at" session as Faber suggested. After the period elapses - or if the user logs off - the session and the user account get wiped out, and they would need to get reauthenticated by submitting a credit card or whatever.
I'm sure there are a number of other ways to accomplish similar things.
(!) [Heather] I think the word he's looking for here is "authentication" - lots of coffee-shop or gamer-shop style connections have the cashier authorize folks to use the network, on stations that are wired in ... but wireless is different, you have to get one of these little scripts to pick out the new MAC address and then get a go-ahead to let them aboard.
PAM allows for writing new modules, lemme check this partial list of them (http://www.kernel.org/pub/linux/libs/pam/modules.html) for some sort of moderated-login thingy? Hmm, unless TACACS+. RADIUS or Kerberos offer something like that, looks like you'll need to whip up something on your own, and mess with the control files underlying pam_time, too. However, here's something topical, an Authentication Gateway HOWTO: http://www.itlab.musc.edu/~nathan/authentication_gateway
WHich just goes to show that there are more HOWTOs in the world than tldp.org carries. Juicy references to real-world use in the References too.
(!) [Thomas] You might also want to consider making the process uninterruptable (i.e catch certain calls) until the process is due to expire. This again though has certain inherent security problems with it.


Copyright © 2003
Copying license http://www.linuxgazette.net/copying.html
Published in Issue 91 of Linux Gazette, June 2003
HTML script maintained by Heather Stern of Starshine Technical Services, http://www.starshine.org/


[ Table Of Contents ][ Answer Guy Current Index ] greetings   Meet the Gang   1   2   3   4 [ Index of Past Answers ]