DESPERATE : Iptables block users by MAC address.
Hi All,
thanx for reading this. I am trying to authenticate only those PC that I know of and reject access to internet to the rest of them using MACs. The box is running rh9 with iptables is my internet gateway. Currently I am able to block those staff who bring their laptop after we detect it using a third party software by putting the following rule in iptables /sbin/iptables -A INPUT -j DROP -m mac --mac-source 08:00:46:67:B1:5E What I really wanna do is to put all MACs that belong to us in the iptables and only authorise them to access the internet, and block everyone else automatically by default. Is it possible ? How do I do it. Please help, as I spent most of the time scanning ip ranges for unauthorised pcs/laptops. thanx again, Ranjan. |
just have a for loop going through all the mac addresses that you will accept, and then after that loop drop all other mac addresses
the accepts will take precedence over the drop all... I'm beginner, but I think that's what you want to do... someone please correct me if i'm wrong. :) |
thanx for your reply, but how do I drop all the packets from the other MACs that are on the network ?
|
Maybe make a new rule: MAC_RULE
Pass all the forward and input rules through MAC_RULE first...
like iptables -A FORWARD -p tcp -j MAC_RULE ######################################### and at the top make the MAC_RULE: iptables -N MAC_RULE iptables -A MAC_RULE -j ACCEPT -m mac --mac-source G0:0d:mac:address iptables -A MAC_RULE -j ACCEPT -m mac --mac-source Another:go0d:mac:address iptables -A MAC_RULE -j DROP ######################################### I've never done, just thought of it...hope that helps! If a Good_MAC matches it will pass, then all the bad ones will get dropped. |
Hi Je_fro ,
thanx for your reply, it certainly gave me a direction. I have modified my test firewall.sh script which runs everytime I reboot the box. Lemme know your thoughts on this. /sbin/iptables -A INPUT -p tcp -j MAC_RULE iptables -N MAC_RULE iptables -A MAC_RULE -j DROP iptables -N MAC_RULE iptables -A MAC_RULE -j ACCEPT -m mac --mac-source 00:07:40:4C:EE:00 iptables -A MAC_RULE -j DROP # old mac blocking rules # /sbin/iptables -A INPUT -j DROP -m mac --mac-source 08:00:46:67:B1:5E # /sbin/iptables -A INPUT -j DROP -m mac --mac-source 00:08:0D:EF:13:12 # /sbin/iptables -A INPUT -j DROP -m mac --mac-source 00:07:40:1C:1E:A2 /sbin/iptables -A FORWARD -p tcp -j MAC_RULE # worm blocking restriction to help with welchia infection /sbin/iptables -A FORWARD -j DROP -p icmp --icmp-type 0 /sbin/iptables -A FORWARD -j DROP -p icmp --icmp-type 8 /sbin/iptables -A FORWARD -j DROP -p tcp --dport 135:139 /sbin/iptables -A FORWARD -j DROP -p udp --dport 135:139 /sbin/iptables -A OUTPUT -j DROP -p icmp --icmp-type 0 /sbin/iptables -A OUTPUT -j DROP -p icmp --icmp-type 8 /sbin/iptables -A OUTPUT -j DROP -p tcp --dport 135:139 /sbin/iptables -A OUTPUT -j DROP -p udp --dport 135:139 Thanx again for your help. Ranjan. |
Hmm...
iptables likes to traverse the rules until it has an exact match...then it jumps out. So...
iptables -N MAC_RULE iptables -A MAC_RULE -j ACCEPT -m mac --mac-source 00:07:40:4C:EE:00 <--is this address authorized? Hope So!!! iptables -A MAC_RULE -j DROP # old mac blocking rules # /sbin/iptables -A INPUT -j DROP -m mac --mac-source 08:00:46:67:B1:5E # /sbin/iptables -A INPUT -j DROP -m mac --mac-source 00:08:0D:EF:13:12 # /sbin/iptables -A INPUT -j DROP -m mac --mac-source 00:07:40:1C:1E:A2 /sbin/iptables -A INPUT -p tcp -j MAC_RULE (here it jumps up and looks for a match (trusted MAC) if it doesn't find one, it hits the last line in MAC_RULE and drops the connection.) /sbin/iptables -A FORWARD -p tcp -j MAC_RULE HTH |
hi je_fro,
thanx for that explanation. I will give it a go and let you know. thanx again. Ranjan. |
heh...
my pleasure. :p
|
Expanding on what je_fro posted, you could have a file like /etc/hosts.allow but it's /etc/macs.allow or something like that. Then in your iptables script you do this:
Code:
for MAC in `cat /etc/macs.allow` 00:01:02:03:04:05 00:01:02:03:04:06 00:01:02:03:04:07 00:01:02:03:04:08 |
good one.
Hi /bin/bash
after the code that you put in Code:
Also do I chmod it 755 ? Thanx for your suggestion, its pretty good too. thanx a lot , Ranjan |
tried the script
hi Guys,
just tried the script, this is how it looks like .. #!/bin/sh /sbin/iptales -N MAC_RULE for MAC in `cat /etc/macs.allow` do iptables -A MAC_RULE -j ACCEPT -m mac --mac-source "$MAC" done /sbin/iptables -A INPUT -p tcp -j MAC_RULE /sbin/iptables -A FORWARD -p tcp -j MAc_RULE I saved the file as firewall.sh in the init.d directory and chmod it 755 , when I run it from the prompt # sh firewall.sh I get the error iptables: Chain already exists iptables v1.2.7a: Bad mac address 'cat /etc/macs.allow' try iptables -h etc I have created the macs.allow in the /etc directory with two MACs in it. Your help will be very appreciated. thanx again, Ranjan |
normally you want to clear the tables at the beginning of your script
something like this: Code:
ipt="/bin/iptables" http://www.linuxquestions.org/questi...hreadid=115121 |
I have two scripts. The first one called "scanmac" is used to create a list of ip addresses and related mac addresses. The second script called "mac" runs the first script and creates an iptables rule.
In this case, I created an ACCEPT rule based on known good mac addresses. You probably can create a DENY rule based on these scripts also. Here is the "mac" script................ ____________________________________________________ #!/bin/bash # #Note: change the ip address range to match your needs. sh scanmac 192.168.1.1 192.168.1.5 | grep "IP:" > test.txt mac="/home/test.txt" cat ${mac} | \ while read IP NUMBER MC DASH NUM do /sbin/iptables -A INPUT -m mac --mac-source ${NUM} -j ACCEPT done #End ________________________________________________________ Here is the "scanmac" script..................... _____________________________________ #!/bin/bash if [ -z "$1" -o "$1" == "-?" ] ; then echo "Usage: scanmac starting-ip [ending-ip]" echo echo "Will list IP and MAC adresses of all active computers" echo "within a physical network segment." echo echo "If ending-ip is omitted, ending-ip = starting-ip+1" echo " (so that only the host specified will be scanned)." echo echo "If you wish to scan from 192.168.2.1 to 192.168.2.31," echo " inclusive, specify ending-ip to be 192.168.2.32." echo exit 0 fi startw=$(echo "$1" | cut -d. -f1) startx=$(echo "$1" | cut -d. -f2) starty=$(echo "$1" | cut -d. -f3) startz=$(echo "$1" | cut -d. -f4) echo "Starting address: $startw.$startx.$starty.$startz" endip="$2" if [ -z "$endip" ] ; then if [ $startz -eq 255 ] ; then endz=0 if [ $starty -eq 255 ] ; then endy=0 if [ $startx -eq 255 ] ; then endx=0 if [ $startw -eq 255 ] ; then echo "Sorry, you cannot just scan 255.255.255.255." echo " Maybe later, or you can try to hack support in." exit 1 else endw=$(($startw+1)) fi else endx=$(($startx+1)) fi else endy=$(($starty+1)) fi else endz=$(($startz+1)) fi endip=$endw.$endx.$endy.$endz fi echo "Ending address: $endip" currentw=$startw currentx=$startx currenty=$starty currentz=$startz currentip=$currentw.$currentx.$currenty.$currentz # If the bottom octet is zero, it'll get logged inside the while, so # don't do it here if [ "$currentz" -ne "0" ] ; then echo "$(date): $currentip" fi trap "exit 15" 15 trap "exit 2" 2 while [ "$currentip" != "$endip" ] ; do currentip=$currentw.$currentx.$currenty.$currentz # another log message whenever the bottom octet rolls over if [ "$currentz" -eq "0" ] ; then echo "$(date): $currentip" fi ping -c 1 -w 10 $currentip >/dev/null 2>&1 mac=$(arp -a $currentip | cut -d' ' -f4) case "$mac" in ?incomplete?) : # do nothing -- no MAC for this IP ;; entries) : # again, do nothing -- this is a broadcast address ;; *) echo "IP: $currentip -- MAC: $mac" ;; esac mac="" # reset for the next loop iteration # now increment the ip values (w,x,y,z) if [ $currentz -eq 255 ] ; then currentz=0 else currentz=$(($currentz+1)) continue fi if [ $currenty -eq 255 ] ; then currenty=0 else currenty=$(($currenty+1)) continue fi if [ $currentx -eq 255 ] ; then currentx=0 else currentx=$(($currentx+1)) continue fi if [ $currentw -eq 255 ] ; then break else currentz=$(($currentz+1)) continue fi done |
Quote:
|
You know Ranjan it is a trivial matter to change your MAC address in Linux.
Just hope that no one on your network figures that one out. :D |
All times are GMT -5. The time now is 11:50 AM. |