LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Help w mac filtering (https://www.linuxquestions.org/questions/linux-newbie-8/help-w-mac-filtering-712990/)

landysaccount 03-19-2009 09:30 PM

Help w mac filtering
 
Hello.

I currently have a router (already mentioned this on a previous post) with Debian Etch blocking ports and some services. Now, I would like to cut users off by doing mac filtering. I would like to have a list of macs that will be allowed to browse the internet.

I believe if I do:

iptables -P FORWARD DROP
iptables -A FORWARD -m mac --mac-source xxxxxxxxxx -j ACCEPT

iptables -A FORWARD -i $lan -o $ext -p tcp --dport 80 -j ACCEPT

will let that user to do whatever but, it won't block traffic to the services.

I only want allowed macs use certain traffic, all others nothing.

How can I accomplish this.

Thanks in advanced for your help.

landysaccount 03-20-2009 11:15 AM

I was doing some reading and thought of an option:

iptables -N check_macs

iptables -A FORWARD -i $lan -p tcp -j check_macs
iptables -A FORWARD -i $lan -p udp -j check_macs

... here do the normal port filtering...

# here allow macs in a list and drop those not in the list
iptables -A check_macs -m mac --mac-source xxxxxxxxxxxx -j RETURN
iptables -A check_macs -m mac --mac-source xxxxxxxxxxxx -j RETURN
iptables -A check_macs -j DROP

Would this work?

archtoad6 03-23-2009 06:01 AM

I haven't messed w/ iptables for couple of years, but your approach sounds logical. I can't critique your syntax.

reptiler 03-23-2009 06:07 AM

Quote:

Originally Posted by landysaccount (Post 3481503)
I believe if I do:

iptables -P FORWARD DROP
iptables -A FORWARD -m mac --mac-source xxxxxxxxxx -j ACCEPT

iptables -A FORWARD -i $lan -o $ext -p tcp --dport 80 -j ACCEPT

will let that user to do whatever but, it won't block traffic to the services.

Right. As the first rule matches the MAC-address it will accept the package, the next rule doesn't apply to that package anymore.
Thus a user with the given MAC-address will be allowed full access through the box.

Personally I think I'd work with package-marking.
Code:

iptables -A FORWARD -t mangle -m mac --mac-source ... -j MARK --set-mark 1
iptables -A FORWARD -i $lan -o $ext -p tcp --dport 80 -m mark --mark 1 -j ACCEPT

This should be okay, although I haven't played with marked packages for a while.

archtoad6 03-23-2009 08:17 AM

You do mean "packet" not "package", don't you?

reptiler 03-23-2009 10:36 AM

Quote:

Originally Posted by archtoad6 (Post 3484934)
You do mean "packet" not "package", don't you?

Yeah, but honestly, does it really matter? I guess everybody knows what I'm talking about. ;)

landysaccount 03-24-2009 03:50 PM

I've never worked with marking packets but, I guess I'll read about it and maybe test it.

I haven't test:

iptables -N check_macs

iptables -A FORWARD -i $lan -p tcp -j check_macs
iptables -A FORWARD -i $lan -p udp -j check_macs

... here do the normal port filtering...

# here allow macs in a list and drop those not in the list
iptables -A check_macs -m mac --mac-source xxxxxxxxxxxx -j RETURN
iptables -A check_macs -m mac --mac-source xxxxxxxxxxxx -j RETURN
iptables -A check_macs -j DROP

But, as archtoad6 mentioned, it sounds logical. I'll give it a try later and will keep you posted.

landysaccount 03-24-2009 07:17 PM

Quote:

Originally Posted by landysaccount (Post 3486466)
I've never worked with marking packets but, I guess I'll read about it and maybe test it.

I haven't test:

iptables -N check_macs

iptables -A FORWARD -i $lan -p tcp -j check_macs
iptables -A FORWARD -i $lan -p udp -j check_macs

... here do the normal port filtering...

# here allow macs in a list and drop those not in the list
iptables -A check_macs -m mac --mac-source xxxxxxxxxxxx -j RETURN
iptables -A check_macs -m mac --mac-source xxxxxxxxxxxx -j RETURN
iptables -A check_macs -j DROP

But, as archtoad6 mentioned, it sounds logical. I'll give it a try later and will keep you posted.

Ok. I have tested the code above and it works. Is blocks all the macs except for those that pass through the check_macs chain.

archtoad6 03-26-2009 06:35 AM

Good. Thanks for giving the answer -- it may help someone else.

landysaccount 03-27-2009 10:03 PM

Quote:

Originally Posted by archtoad6 (Post 3488290)
Good. Thanks for giving the answer -- it may help someone else.

Please note that the above works only on a router that is directly connected to all the clients' machines through a switch. If the packet sent from the client passes through a router, AP, or any other device that has an ip/mac this will not work since, mac addresses are not routable. In this case the last device's mac will appear at the router even if is in the same subnet. To work around this just use dhcp to assign a static ip to the mac and filter by ip address. This will always work:

iptables -A ip_check -s $ip -j RETURN

iptables -A FORWARD -j ip_check

I did this and is working flawless.

Hope it help others


All times are GMT -5. The time now is 05:44 AM.