How to set IP and MAC binding on Linux routing

In some systems, there is a need to have certain IP addresses in the intranet connected to the Internet, and hope that these IP addresses are not stolen by illegal users. This can be achieved by the following solution:

First use ipchains or iptables to set only allow legitimate IP addresses to be connected.

Establish an IP/Mac bundle for legitimate IP. To discuss this problem, we first need to understand the working principle of the ARP protocol. The arp protocol is an abbreviation of the Address Resolution Protocol. Its function and working principle are as follows:

In the underlying network communication, two To want to communicate with each other, the nodes must first know the source and destination MAC addresses. In order for the system to quickly find the MAC address of a remote node, each local kernel maintains an instant lookup table (called ARP cache). ARP has a list of IP addresses that map remote hosts to their corresponding MAC addresses. The Address Resolution Protocol (ARP) cache is a resident memory structure in which the contents are managed and maintained by the kernel of the local system. By default, the ARP cache retains the IP address (and corresponding MAC address) of the node with which the local system communicated for the last ten minutes.

When the MAC address of a remote host exists in the ARP cache of the local host, there is no problem in translating the IP address of the remote node to the MAC address. However, in many cases, the remote host's MAC address does not exist in the local ARP cache. What happens to the system? When you know the IP address of a remote host, but the MAC address is not in the local ARP cache, the following The process is used to obtain the MAC address of the remote node: the local host sends a broadcast packet to all nodes in the network to ask if there is a corresponding IP address. A node (only one) will answer this ARP broadcast message. The MAC address of this remote host will be included in the response packet. After receiving the return packet, the local node records the MAC address of the remote node in the local ARP cache.

If we establish the IP/MAC correspondence as fixed, that is, establish a static MAC correspondence for those legitimate IP addresses, then even if the illegal user steals the IP address, the Linux router responds to the connection from these IPs. When requesting, it will not ask the mac address through the arp protocol, but use the static MAC address established by Linux and send the response data. If the IP is stolen, the response data will not be obtained and the network service cannot be used.

The method of establishing static IP/MAC binding is to establish the /etc/ethers file, which contains the correct IP/MAC mapping. The format is as follows:

192.168.2.32 08:00:4E :B0:24:47

Then add /arp-f to /etc/rc.d/rc.local.

2.4 kernel iptables can limit both IP and Mac at the same time. Use this function to define the IP address and Mac address for the legal IP rules.