LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 02-16-2007, 12:34 AM   #1
boyfren
LQ Newbie
 
Registered: Jan 2007
Posts: 13

Rep: Reputation: 0
MAC Address on IPTables


halo guys,

how do we restrict mac addresses using IPTAbles? In case I have rules in IPTables and i wanted them to apply on a particular group of MAC addresses giving exemptions to others... can we do that? any help.... and how do we save the iptables commands for the next reboot? tnx a lot

Last edited by boyfren; 02-16-2007 at 12:37 AM.
 
Old 02-16-2007, 02:10 AM   #2
mastrboy
Member
 
Registered: Aug 2005
Distribution: Debian, OpenBSD, PFsense
Posts: 73

Rep: Reputation: 15
IP tables can't do this by default, at least as i know (kind of lies in the name: "IP"Tables)

But ebtables can:
http://ebtables.sourceforge.net/
 
Old 02-16-2007, 02:22 AM   #3
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,373

Rep: Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962
of course it can do this. just use the mac module... -m mac --mac-source 01:23:45:67:89
 
Old 02-18-2007, 11:59 PM   #4
boyfren
LQ Newbie
 
Registered: Jan 2007
Posts: 13

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by acid_kewpie
of course it can do this. just use the mac module... -m mac --mac-source 01:23:45:67:89
can you pls elaborate how i can practically apply it to my current needs?? tnx so much....
 
Old 02-19-2007, 01:38 AM   #5
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,373

Rep: Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962
well rather that using "-s 192.168.1.123" you'd use the synatx above to defined a layer 2 access.
 
Old 02-19-2007, 04:33 AM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by boyfren
how do we restrict mac addresses using IPTAbles? In case I have rules in IPTables and i wanted them to apply on a particular group of MAC addresses giving exemptions to others... can we do that? any help.... and how do we save the iptables commands for the next reboot? tnx a lot
Quote:
can you pls elaborate how i can practically apply it to my current needs?? tnx so much....
here's a simple example:
Code:
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# Block Cindy in Accounting:
iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -m mac --mac-source \
d3:5t:6u:3e:dj:8i -j REJECT

# Block Roger in Marketing:
iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -m mac --mac-source \
3e:ew:7u:9d:cd:2l -j REJECT

# Block Debbie in Sales:
iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -m mac --mac-source \
k4:3d:9d:6t:f4:dd -j REJECT

# Allow everyone else to surf the Web (HTTP/HTTPS):
iptables -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE -m state --state NEW \
-m multiport --dports 80,443 -j ACCEPT

# Allow everyone else to surf the Web (DNS):
iptables -A FORWARD -p UDP -i $LAN_IFACE -o $WAN_IFACE -m state --state NEW \
-d $DNS_SERVER_IP --dport 53 -j ACCEPT
to save your iptables across a reboot you use the "iptables-save" command, but how exactly you use it kinda depends on what distro you are on...

Last edited by win32sux; 02-19-2007 at 04:38 AM.
 
Old 02-21-2007, 03:10 AM   #7
boyfren
LQ Newbie
 
Registered: Jan 2007
Posts: 13

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by win32sux
here's a simple example:

to save your iptables across a reboot you use the "iptables-save" command, but how exactly you use it kinda depends on what distro you are on...
tnx a lot.... im using mandriva and iptables-save command works on it.... gotta make this work!!!
 
Old 02-21-2007, 01:45 PM   #8
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by boyfren
tnx a lot.... im using mandriva and iptables-save command works on it.... gotta make this work!!!
i'm not sure, but i believe on mandriva the iptables configuration is saved in the /etc/sysconfig/iptables file (which might or might not exist by default)... if that's the case, then to save your iptables configuration you'd do a:
Code:
iptables-save > /etc/sysconfig/iptables
but being that AFAIK mandriva is red hat-based, you might be better-off using the "service" command, like:
Code:
service iptables save
i recommend you try the "service" way first, and then try the more manual way if that doesn't work...
 
Old 02-21-2007, 02:24 PM   #9
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
boyfren,

Just want to remind you that:
  • This info is available in the iptables(8) manpages.
  • MAC addresses are easily spoofed, so this should not be thought of as a strong security mechanism. (i.e. It should be one of several layers.)
 
Old 02-21-2007, 08:46 PM   #10
boyfren
LQ Newbie
 
Registered: Jan 2007
Posts: 13

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by anomie
boyfren,

Just want to remind you that:
  • This info is available in the iptables(8) manpages.
  • MAC addresses are easily spoofed, so this should not be thought of as a strong security mechanism. (i.e. It should be one of several layers.)
yep i saw this on the manual pages but got a hard time trying to gather up the pieces and the info here helps.. and yes.. im not considering this a strong security mechanisms.... tnx a lot for the reminders.
 
  


Reply

Tags
networking


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables based on MAC address shrinivas.bura Linux - General 1 11-15-2006 11:18 PM
Iptables/Mac address InJesus Linux - Security 3 11-17-2005 05:57 AM
blocking mac address using iptables Kendo1979 Linux - Networking 9 10-25-2004 04:09 AM
MAC Address + IPTABLES yvesg Linux - Networking 1 05-10-2004 08:36 PM
logsnorter-0.2 iptables MAC address toovato Linux - Security 9 10-30-2003 06:47 AM


All times are GMT -5. The time now is 11:23 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration