Iptables – Disable static IP addresses on desktop computers

dhcpipiptables

Is there any way of not allowing users to statically set an IP address on their machines?

We have a lot of servers with static IP addresses and also a DHCP server. I am afraid of allowing users to set a static IP address on their machines and they eventually get a server IP address by mistake.

I know we could create a rule on Active Directory blocking changes on network interfaces, or create logins without administrative rights, but all of those solutions can be bypassed. I want some server rule that only our network administrator has access to.

Our DHCP server is Ubuntu
Our desktop machines are Windows 7 based
Our firewall is Ubuntu + iptables
Active Directory

Best Answer

Workaround: Put your users and your servers in separate subnets. A quick VLAN and router change should get it running. Then your users couldn't take a server's IP address, because they're on the "wrong" physical connection to be able to do so.

Related Solutions

DHCP server that can detect and handle rogue IP addresses

You want to turn on conflict detection on the Microsoft DHCP server. Have a look on the "Advanced" tab of the properties of the DHCP server node in DHCP management. Increase the "Conflict detection attempts" from the default of 0 and you'll start to see "BAD_ADDRESS" entries appear in the DHCP scope as the DHCP server "finds" addresses already assigned to other devices.

_{(source: wellbury.com)}

The DHCP server does just what you describe. It uses gratuitous ARP to find addresses already in use and marks them.

Give that a shot-- it'll do what you want.

Deny Static IP Assignments

There is no way to configure a DHCP server to deny static IP addresses. If you think about it, there is a direct path between hosts on the network that simply does not go through the SonicWall:

            SonicWall
            LAN Port
                ^
                |
                v
HostA <----> Switch <----> HostB

So if you want to filter on MAC address to stop HostA from advertising an IP address on the network, you need to do so at the switch. As an example, if your switch is a Cisco, the command to use is switchport port-security.

Best Answer

Related Solutions

DHCP server that can detect and handle rogue IP addresses

Deny Static IP Assignments

Related Topic