LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   MAC Address on IPTables (http://www.linuxquestions.org/questions/linux-networking-3/mac-address-on-iptables-529515/)

boyfren 02-16-2007 12:34 AM

MAC Address on IPTables
 
halo guys,

how do we restrict mac addresses using IPTAbles? In case I have rules in IPTables and i wanted them to apply on a particular group of MAC addresses giving exemptions to others... can we do that? any help.... and how do we save the iptables commands for the next reboot? tnx a lot

mastrboy 02-16-2007 02:10 AM

IP tables can't do this by default, at least as i know (kind of lies in the name: "IP"Tables)

But ebtables can:
http://ebtables.sourceforge.net/

acid_kewpie 02-16-2007 02:22 AM

of course it can do this. just use the mac module... -m mac --mac-source 01:23:45:67:89

boyfren 02-18-2007 11:59 PM

Quote:

Originally Posted by acid_kewpie
of course it can do this. just use the mac module... -m mac --mac-source 01:23:45:67:89

can you pls elaborate how i can practically apply it to my current needs?? tnx so much....

acid_kewpie 02-19-2007 01:38 AM

well rather that using "-s 192.168.1.123" you'd use the synatx above to defined a layer 2 access.

win32sux 02-19-2007 04:33 AM

Quote:

Originally Posted by boyfren
how do we restrict mac addresses using IPTAbles? In case I have rules in IPTables and i wanted them to apply on a particular group of MAC addresses giving exemptions to others... can we do that? any help.... and how do we save the iptables commands for the next reboot? tnx a lot

Quote:

can you pls elaborate how i can practically apply it to my current needs?? tnx so much....
here's a simple example:
Code:

iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# Block Cindy in Accounting:
iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -m mac --mac-source \
d3:5t:6u:3e:dj:8i -j REJECT

# Block Roger in Marketing:
iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -m mac --mac-source \
3e:ew:7u:9d:cd:2l -j REJECT

# Block Debbie in Sales:
iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -m mac --mac-source \
k4:3d:9d:6t:f4:dd -j REJECT

# Allow everyone else to surf the Web (HTTP/HTTPS):
iptables -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE -m state --state NEW \
-m multiport --dports 80,443 -j ACCEPT

# Allow everyone else to surf the Web (DNS):
iptables -A FORWARD -p UDP -i $LAN_IFACE -o $WAN_IFACE -m state --state NEW \
-d $DNS_SERVER_IP --dport 53 -j ACCEPT

to save your iptables across a reboot you use the "iptables-save" command, but how exactly you use it kinda depends on what distro you are on...

boyfren 02-21-2007 03:10 AM

Quote:

Originally Posted by win32sux
here's a simple example:

to save your iptables across a reboot you use the "iptables-save" command, but how exactly you use it kinda depends on what distro you are on...

tnx a lot.... im using mandriva and iptables-save command works on it.... gotta make this work!!!

win32sux 02-21-2007 01:45 PM

Quote:

Originally Posted by boyfren
tnx a lot.... im using mandriva and iptables-save command works on it.... gotta make this work!!!

i'm not sure, but i believe on mandriva the iptables configuration is saved in the /etc/sysconfig/iptables file (which might or might not exist by default)... if that's the case, then to save your iptables configuration you'd do a:
Code:

iptables-save > /etc/sysconfig/iptables
but being that AFAIK mandriva is red hat-based, you might be better-off using the "service" command, like:
Code:

service iptables save
i recommend you try the "service" way first, and then try the more manual way if that doesn't work...

anomie 02-21-2007 02:24 PM

boyfren,

Just want to remind you that:
  • This info is available in the iptables(8) manpages.
  • MAC addresses are easily spoofed, so this should not be thought of as a strong security mechanism. (i.e. It should be one of several layers.)

boyfren 02-21-2007 08:46 PM

Quote:

Originally Posted by anomie
boyfren,

Just want to remind you that:
  • This info is available in the iptables(8) manpages.
  • MAC addresses are easily spoofed, so this should not be thought of as a strong security mechanism. (i.e. It should be one of several layers.)

yep i saw this on the manual pages but got a hard time trying to gather up the pieces and the info here helps.. and yes.. im not considering this a strong security mechanisms.... tnx a lot for the reminders.


All times are GMT -5. The time now is 02:20 AM.