LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 04-17-2007, 11:41 AM   #1
yongitz
Member
 
Registered: Nov 2005
Location: Davao City, Philippines
Distribution: RHEL, CentOS, Ubuntu, Mint
Posts: 139

Rep: Reputation: 20
can mac address filtering be done from the internet?


Hi folks!

I'm just curious. I have a working vpn setup right now. What bothers me is that there might be time that a vpn client will be compromised. So as a precaution with the help of firewall using iptables, for example I will just allow all those mac addresses that are supposed to be allowed and block those which are not in my list. So if I have "false client" which got it's keys from a compromised vpn client even if it succeeds on the vpn authentication but still will be useless because no traffic can be done because of course the mac address is not one of the allowed lists.(but of course i'm not discounting the possibility that the mac address will be spoofed too..) But now I just want a clear view if mac address filtering can be done in this situation..

Thanks!
 
Old 04-17-2007, 11:43 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
mac addresses are for layer2 communications, i.e. in a single subnet. there may be vendor proprietary extensions to permit filtering of that is wholly arbitrary data at the layer3 vpn stage, but as standard, it just doesn't really make "sense". proper cryptography with certificates and such is a much much better approach.
 
Old 04-17-2007, 12:03 PM   #3
yongitz
Member
 
Registered: Nov 2005
Location: Davao City, Philippines
Distribution: RHEL, CentOS, Ubuntu, Mint
Posts: 139

Original Poster
Rep: Reputation: 20
Thank you sir for the prompt reply. So you're saying that's it's likely not possible with iptables?
 
Old 04-17-2007, 12:07 PM   #4
lazlow
Senior Member
 
Registered: Jan 2006
Posts: 4,362

Rep: Reputation: 172Reputation: 172
yongitz

Even if it were possible (would need more that iptables) spoofing a MAC is fairly easy to do. Acid has pointed you in the "best" direction.

Lazlow
 
Old 04-17-2007, 12:15 PM   #5
yongitz
Member
 
Registered: Nov 2005
Location: Davao City, Philippines
Distribution: RHEL, CentOS, Ubuntu, Mint
Posts: 139

Original Poster
Rep: Reputation: 20
Ok.. I'm there! So what would be the best solution for my problem? As I just want to bind certain vpn certificates/keys to the right machine. So that even if those keys were stolen it will be of no use anymore..
 
Old 04-17-2007, 07:48 PM   #6
Teomari
Member
 
Registered: Mar 2007
Location: Manila Philippines
Distribution: Slackware, Redhat, Ubuntu, Centos, Open Suse
Posts: 38

Rep: Reputation: 15
one thing that i know is that squid proxy can allow/disallow MAC addresses

Last edited by Teomari; 04-18-2007 at 03:11 AM.
 
Old 04-18-2007, 03:04 AM   #7
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
well it can do it on a local subnet, but once it's past a router, that information doesn't exist.
 
Old 04-18-2007, 03:20 AM   #8
slzckboy
Member
 
Registered: May 2005
Location: uk - Reading
Distribution: slack 10.2 kde 3.4.2 kernel 2.6.15
Posts: 452

Rep: Reputation: 30
The only Mac address that you will see for a session initiated from outside your Lan Is that of the Gateway router.


In normal TCP communication you would never see the mac address of the remote machine.That source mac address would be stripped off when the packet is marshalled to be sent over the internet .
the source/destination macs are then used to get the packet from one router hop to the next, and then once its at the destination subnet from the remote gateway router to the destination client.

So in short you can only rely on Mac filtering for devices on a Local subnet.

This is the long version to what mr kewpie has said already
:0)
 
Old 04-18-2007, 11:09 PM   #9
yongitz
Member
 
Registered: Nov 2005
Location: Davao City, Philippines
Distribution: RHEL, CentOS, Ubuntu, Mint
Posts: 139

Original Poster
Rep: Reputation: 20
Thank you all for the clarifications. So even if you're operating under VPN you really cannot trace mac addresses?
Pardon me people but I have read something like when you are on bridged type of VPN(that means clients were given IPs the same as the local subnet), even on this situation you can't track the mac address? I also have found something in the internet that points out how to block vpn clients thru their mac address I just forgot the url but I'll post it here as soon as I find it. I need more clarifications coz I'm confused if it's really
possible because if it is then I would switched to bridged vpn.

Thanks!

Last edited by yongitz; 04-19-2007 at 10:30 PM.
 
Old 04-19-2007, 02:45 AM   #10
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
well implicitly if it is a bridge then yes you can, but that's not the normal way a VPN would operate, and it's not really even a VPN thing. if it's a bridge, then it's layer2, and as described above is effectively still a single subnet.
 
  


Reply

Tags
mac


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
MAC address filtering in Slackware? houler Linux - Networking 9 05-12-2006 08:34 AM
mac address filtering gabsik Linux - Security 8 04-27-2006 09:23 AM
Spoofed MAC address = no internet BDiddy Linux - Networking 7 09-23-2005 09:03 PM
Questions on DHCP Filtering via MAC address brainee28 Linux - Networking 1 02-03-2005 03:11 PM
MAC address filtering firewall? gigaah Linux - Security 5 06-07-2004 12:05 PM


All times are GMT -5. The time now is 03:16 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration