LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Blocking certain MAC Address from accessing services (http://www.linuxquestions.org/questions/linux-security-4/blocking-certain-mac-address-from-accessing-services-916499/)

kumawat10 11-30-2011 11:09 PM

Blocking certain MAC Address from accessing services
 
I want to block some MAC's from my LAN network such that they cannot access the internet.. I tried the following

iptables -I INPUT -p tcp --dport 80 -m mac ! --mac-source xx:xx:xx:xx:xx:xx -j DROP
but this didnt work out..

As v know, MAC protection will only work with
PREROUTING
FORWARD
INPUT
chains, and I must use OUTPUT chain for the requests going out, I m not able to figure out how to do it!! :(

Someone pls help!!!

Thanks.. :)

fukawi1 11-30-2011 11:45 PM

Well that rule will drop any packets from the specified mac address destined for the host itself..

If you are intending to run this rule on a gateway, and you intend to stop all unspecified mac addresses (as indicated by the "!") within the lan, from using port 80, then you will probably want it in the FOWARD chain.

http://www.linuxhomenetworking.com/w...Using_iptables
is worth the read for understanding the way a packet will traverse the iptables chains.

kumawat10 12-01-2011 07:03 AM

Well Fukawi, that's the problem I m facing.. I want to limit some MAC addresses to access the outside world rather than limiting the outer MAC's from accessing mine!!!!

And so I must use either OUTPUT chain or FORWARD chain.. Now I cant use OUTPUT chain (as its MAC).. In case of FORWARD chain, if I forward these packets to it then how will I drop it??? I mean, I would definitely have other rules which would also forward their packet to this chain so if I drop everything, it will again be a problem.... :(

If possible, u may write the rule u r referring to..

Thanks..

decula 12-01-2011 12:52 PM

ebtables
 
you might want to look at ebtables for this instead of iptables.

fukawi1 12-01-2011 09:19 PM

Ok, firstly, MAC addresses dont transcend subnets.
So anything packets coming from the internet cant be matched by mac address..

Secondly, I really suggest looking at the flowchart and table in the link i posted above. Which accurately describes the flow of packets through the iptables chains, as well as what each chain is used for..

Thirdly, as an example, i use MAC filtering for my wireless LAN.

Code:

iptables -A FORWARD -p tcp -i eth2 -o ppp0 -m mac --mac-source 00:02:8a:47:eb:63 -m multiport --dports 20,21,5801,80,443 -m comment --comment "Accept FTP, SSH, HTTP/S" -j ACCEPT
I then have a catch all drop policy
Code:

iptables -A FORRWARD -m comment --comment "Default Policy" -j LOG_DROP
(note: I have my set up a little different to what i see most people use, so ive modified this for a more normal setup, but it should give the general idea.. )

This will ACCEPT any packets with a mac source as stated, on the stated ports, and drop everything else..

Quote:

And so I must use either OUTPUT chain or FORWARD chain.. Now I cant use OUTPUT chain (as its MAC).. In case of FORWARD chain, if I forward these packets to it then how will I drop it??? I mean, I would definitely have other rules which would also forward their packet to this chain so if I drop everything, it will again be a problem....
I can't understand what you are trying to say here...


All times are GMT -5. The time now is 09:46 PM.