LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-30-2011, 11:09 PM   #1
kumawat10
LQ Newbie
 
Registered: Aug 2011
Posts: 28

Rep: Reputation: Disabled
Question Blocking certain MAC Address from accessing services


I want to block some MAC's from my LAN network such that they cannot access the internet.. I tried the following

iptables -I INPUT -p tcp --dport 80 -m mac ! --mac-source xx:xx:xx:xx:xx:xx -j DROP
but this didnt work out..

As v know, MAC protection will only work with
PREROUTING
FORWARD
INPUT
chains, and I must use OUTPUT chain for the requests going out, I m not able to figure out how to do it!!

Someone pls help!!!

Thanks..
 
Old 11-30-2011, 11:45 PM   #2
fukawi1
Member
 
Registered: Apr 2009
Location: Melbourne
Distribution: Fedora & CentOS
Posts: 854

Rep: Reputation: 189Reputation: 189
Well that rule will drop any packets from the specified mac address destined for the host itself..

If you are intending to run this rule on a gateway, and you intend to stop all unspecified mac addresses (as indicated by the "!") within the lan, from using port 80, then you will probably want it in the FOWARD chain.

http://www.linuxhomenetworking.com/w...Using_iptables
is worth the read for understanding the way a packet will traverse the iptables chains.
 
Old 12-01-2011, 07:03 AM   #3
kumawat10
LQ Newbie
 
Registered: Aug 2011
Posts: 28

Original Poster
Rep: Reputation: Disabled
Well Fukawi, that's the problem I m facing.. I want to limit some MAC addresses to access the outside world rather than limiting the outer MAC's from accessing mine!!!!

And so I must use either OUTPUT chain or FORWARD chain.. Now I cant use OUTPUT chain (as its MAC).. In case of FORWARD chain, if I forward these packets to it then how will I drop it??? I mean, I would definitely have other rules which would also forward their packet to this chain so if I drop everything, it will again be a problem....

If possible, u may write the rule u r referring to..

Thanks..
 
Old 12-01-2011, 12:52 PM   #4
decula
LQ Newbie
 
Registered: Jun 2006
Posts: 9

Rep: Reputation: 0
ebtables

you might want to look at ebtables for this instead of iptables.
 
Old 12-01-2011, 09:19 PM   #5
fukawi1
Member
 
Registered: Apr 2009
Location: Melbourne
Distribution: Fedora & CentOS
Posts: 854

Rep: Reputation: 189Reputation: 189
Ok, firstly, MAC addresses dont transcend subnets.
So anything packets coming from the internet cant be matched by mac address..

Secondly, I really suggest looking at the flowchart and table in the link i posted above. Which accurately describes the flow of packets through the iptables chains, as well as what each chain is used for..

Thirdly, as an example, i use MAC filtering for my wireless LAN.

Code:
iptables -A FORWARD -p tcp -i eth2 -o ppp0 -m mac --mac-source 00:02:8a:47:eb:63 -m multiport --dports 20,21,5801,80,443 -m comment --comment "Accept FTP, SSH, HTTP/S" -j ACCEPT
I then have a catch all drop policy
Code:
iptables -A FORRWARD -m comment --comment "Default Policy" -j LOG_DROP
(note: I have my set up a little different to what i see most people use, so ive modified this for a more normal setup, but it should give the general idea.. )

This will ACCEPT any packets with a mac source as stated, on the stated ports, and drop everything else..

Quote:
And so I must use either OUTPUT chain or FORWARD chain.. Now I cant use OUTPUT chain (as its MAC).. In case of FORWARD chain, if I forward these packets to it then how will I drop it??? I mean, I would definitely have other rules which would also forward their packet to this chain so if I drop everything, it will again be a problem....
I can't understand what you are trying to say here...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Blocking dhcpd address lease for specific MAC address kulman Linux - Server 8 03-30-2013 01:51 PM
MAC address blocking ridwan77 Linux - Newbie 1 04-22-2007 12:08 PM
blocking mac address and NAT com90185 Linux - Security 6 03-07-2005 06:37 PM
blocking mac address using iptables Kendo1979 Linux - Networking 9 10-25-2004 04:09 AM
blocking connection through MAC address shahriars Linux - Security 7 06-02-2003 01:45 PM


All times are GMT -5. The time now is 08:47 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration