ip mac binding in iptables

ekalavya · 07-28-2010, 05:20 AM

Hi,

I want to bind ip and mac in iptables and the script i gathered and working on is as under:

#!/bin/sh
IPTAB = "/sbin/iptables"
macadds = "xx:xx:xx:xx:xx:xx yy:yy:yy:yy:yy:yy zz:zz:zz:zz:zz:zz"
ipadds = "aaa:aaa:a:a bbb:bbb:b:b ccc:ccc:c:c"

$IPTAB -P INPUT DROP
$IPTAB -P OUTPUT ACCEPT

for ((i=0; i<3; i++))
do $IPTAB -A INPUT -m mac --mac-source $macadds -s $ipadds -j ACCEPT
done

When i run the above script, i get an error as "Bad argument yy:yy:yy:yy:yy:yy try iptables --help for more information"

Please help.

regards,
Ekalavya.

orgcandman · 07-28-2010, 09:16 AM

Your script is not correct. You'll have to do something like:

Code:

#!/bin/bash
# this is for IPv6 addrs
IPTABLES=/sbin/ip6tables
ADDRS="xx:xx:xx:xx:xx:xx/aaa:aaa:a:a yy:yy:yy:yy:yy:yy/bbb:bbb:b:b zz:zz:zz:zz:zz:zz/ccc:ccc:c:c"

for I in $ADDRS
do
    $IPTABLES -A INPUT -m mac --mac-source `echo $I|cut -d/ -f1` -s `echo $I|cut -d/ -f2` -j ACCEPT
done

NOTE: I haven't verified this script. Please ensure that you don't blindly run it on a production system.

-Aaron

ekalavya · 07-29-2010, 05:21 AM

Quote:

Originally Posted by orgcandman

Your script is not correct. You'll have to do something like:

Code:

#!/bin/bash
# this is for IPv6 addrs
IPTABLES=/sbin/ip6tables
ADDRS="xx:xx:xx:xx:xx:xx/aaa:aaa:a:a yy:yy:yy:yy:yy:yy/bbb:bbb:b:b zz:zz:zz:zz:zz:zz/ccc:ccc:c:c"

for I in $ADDRS
do
    $IPTABLES -A INPUT -m mac --mac-source `echo $I|cut -d/ -f1` -s `echo $I|cut -d/ -f2` -j ACCEPT
done

NOTE: I haven't verified this script. Please ensure that you don't blindly run it on a production system.

-Aaron

Hi,

Thank you for your reply.

Can you please let me know how to correct the above script in earlier version of iptables as our server is running FC4. Also, can you please clarify whether i can download and install ip6tables for fc4 and then try it out?.

Thanks & regards,

Ekalavya

orgcandman · 07-29-2010, 10:03 AM

I was assuming that your IP addresses were IPv6 addresses. Feel free to change them to IPv4 and use regular old iptables if that's the case.

If you're using IPv6, otoh, I have no idea what utilities are required. Especially for a version of Fedora which went EOL a looooong time ago.

ekalavya · 07-30-2010, 03:24 AM

Quote:

Originally Posted by orgcandman

I was assuming that your IP addresses were IPv6 addresses. Feel free to change them to IPv4 and use regular old iptables if that's the case.

If you're using IPv6, otoh, I have no idea what utilities are required. Especially for a version of Fedora which went EOL a looooong time ago.

Hi,

My intention of IP MAC binding is to avoid somebody changing their IP with others and use Internet.

Now, instead of loop i have entered manually the IP addresses and MAC addresses which is working fine. But even if somebody changes their IP, still they are able to access Internet which i am not able to understand and lead to confusion that IP MAC binding is not effective.

If you have any idea/solution, please let me know.

regards,
Ekalavya