Help w mac filtering
Hello.
I currently have a router (already mentioned this on a previous post) with Debian Etch blocking ports and some services. Now, I would like to cut users off by doing mac filtering. I would like to have a list of macs that will be allowed to browse the internet. I believe if I do: iptables -P FORWARD DROP iptables -A FORWARD -m mac --mac-source xxxxxxxxxx -j ACCEPT iptables -A FORWARD -i $lan -o $ext -p tcp --dport 80 -j ACCEPT will let that user to do whatever but, it won't block traffic to the services. I only want allowed macs use certain traffic, all others nothing. How can I accomplish this. Thanks in advanced for your help. |
I was doing some reading and thought of an option:
iptables -N check_macs iptables -A FORWARD -i $lan -p tcp -j check_macs iptables -A FORWARD -i $lan -p udp -j check_macs ... here do the normal port filtering... # here allow macs in a list and drop those not in the list iptables -A check_macs -m mac --mac-source xxxxxxxxxxxx -j RETURN iptables -A check_macs -m mac --mac-source xxxxxxxxxxxx -j RETURN iptables -A check_macs -j DROP Would this work? |
I haven't messed w/ iptables for couple of years, but your approach sounds logical. I can't critique your syntax.
|
Quote:
Thus a user with the given MAC-address will be allowed full access through the box. Personally I think I'd work with package-marking. Code:
iptables -A FORWARD -t mangle -m mac --mac-source ... -j MARK --set-mark 1 |
You do mean "packet" not "package", don't you?
|
Quote:
|
I've never worked with marking packets but, I guess I'll read about it and maybe test it.
I haven't test: iptables -N check_macs iptables -A FORWARD -i $lan -p tcp -j check_macs iptables -A FORWARD -i $lan -p udp -j check_macs ... here do the normal port filtering... # here allow macs in a list and drop those not in the list iptables -A check_macs -m mac --mac-source xxxxxxxxxxxx -j RETURN iptables -A check_macs -m mac --mac-source xxxxxxxxxxxx -j RETURN iptables -A check_macs -j DROP But, as archtoad6 mentioned, it sounds logical. I'll give it a try later and will keep you posted. |
Quote:
|
Good. Thanks for giving the answer -- it may help someone else.
|
Quote:
iptables -A ip_check -s $ip -j RETURN iptables -A FORWARD -j ip_check I did this and is working flawless. Hope it help others |
All times are GMT -5. The time now is 05:44 AM. |