How do I MAC filter with DHCP server

Question

I want to Only allow certain MAC addresses to get a IP from my DHCP server, currently I use dnsmasq and I rather not change dhcp server but I'm open to other software aswell. However, I need to be able to set static IP addresses for specific MAC addresses.

currently my dnsmasq conf file has a bunch of entries that specify static IPs for a range of MAC addresses like so:

dhcp-host=00:11:22:33:44:55,192.168.1.100
dhcp-host=00:11:22:33:44:56,192.168.1.101
dhcp-host=00:11:22:33:44:57,192.168.1.102

Is there a way so that All MAC addresses that are Not specified in the above fashion doensn't get an IP?

Answer 1

Alternatively to @Chopper3 's solution, you can add iptables rules like these

# Create the DHCP_clients chain in the 'raw' table
iptables -t raw -N DHCP_clients

# Incoming DHCP, pass to chain processing DHCP
iptables -t raw -A PREROUTING -p udp --dport 67 -j DHCP_clients

# Allowed DHCP clients
iptables -t raw -A DHCP_clients -m mac --mac-source 00:11:22:33:44:55 -j ACCEPT
iptables -t raw -A DHCP_clients -m mac --mac-source 00:11:22:33:44:56 -j ACCEPT
iptables -t raw -A DHCP_clients -m mac --mac-source 00:11:22:33:44:57 -j ACCEPT

# Deny other clients not listed above
iptables -t raw -A DHCP_clients -j DROP

---

Edit: If you need to add additional 'known'/allowed clients, just do the following for each additional client:

# We insert a rule at the head of the chain using the '-I' command
iptables -t raw -I DHCP_clients -m mac --mac-source $CLIENT_MAC -j ACCEPT

(Note: it's using -I (insert) instead of -A (append), so the new rule will be the first rule to be checked. If we don't insert, appended rules will be overridden by the rule with -j DROP)

Answer 2

You can do this by specifying only a static range

dhcp-range=192.168.0.0,static

EDIT: Change the address range above to meet your requirements.

With no dynamic ranges specified dnsmask will only provide addresses to hosts that have a corresponding dhcp-host configuration

# Specify a subnet which can't be used for dynamic address allocation,
# is available for hosts with matching --dhcp-host lines. Note that
# dhcp-host declarations will be ignored unless there is a dhcp-range
# of some type for the subnet in question.
# In this case the netmask is implied (it comes from the network
# configuration on the machine running dnsmasq) it is possible to give
# an explicit netmask instead.
#dhcp-range=192.168.0.0,static

Answer 3

# Ignore any clients which are not specified in dhcp-host lines
# or /etc/ethers. Equivalent to ISC "deny unknown-clients".
# This relies on the special "known" tag which is set when
# a host is matched.
#dhcp-ignore=tag:!known

Answer 4

If you only want specific MACs to get DHCP addresses just create your list of reservations as you have then set the range to cover only those IP addresses. That way it won't have any more addresses to hand out.

Answer 5

I have to disagree to the previous fixes. except for pepoluan's answer.

Although i don't know if pepoluan's is a true white list technique, it is close to the right answer. To block all data to the wrong mac is your goal. Just disabling dhcp to non registered mac's is not a fix, if they set manual ip's which is usually one of 3 ranges... 10.0.0.x, 192.168.1.x or 192.168.0.x doesnt answer the problem.

If you do use the other proposed answer of not handing out dhcp to unknown mac's, besure to also change your router's address to a unique unguessable option, and to change your ip range to a really strange one. e.g. 192.168.43.x with the router being 192.168.43.43 or something. this would dissalow them to guess your subnet range, and have no link to the network.

It's not flawless, but it is a much better way to protect your network.