DESPERATE : Iptables block users by MAC address.

ranjan303 · 12-14-2003, 12:04 AM

Hi All,

thanx for reading this. I am trying to authenticate only those PC that I know of and reject access to internet to the rest of them using MACs. The box is running rh9 with iptables is my internet gateway.

Currently I am able to block those staff who bring their laptop after we detect it using a third party software by putting the following rule in iptables

/sbin/iptables -A INPUT -j DROP -m mac --mac-source 08:00:46:67:B1:5E

What I really wanna do is to put all MACs that belong to us in the iptables and only authorise them to access the internet, and block everyone else automatically by default. Is it possible ? How do I do it. Please help, as I spent most of the time scanning ip ranges for unauthorised pcs/laptops.

thanx again,

Ranjan.

Colossis · 12-14-2003, 12:16 AM

just have a for loop going through all the mac addresses that you will accept, and then after that loop drop all other mac addresses

the accepts will take precedence over the drop all...

I'm beginner, but I think that's what you want to do... someone please correct me if i'm wrong.

ranjan303 · 12-14-2003, 12:23 AM

thanx for your reply, but how do I drop all the packets from the other MACs that are on the network ?

je_fro · 12-14-2003, 02:31 AM

Pass all the forward and input rules through MAC_RULE first...
like
iptables -A FORWARD -p tcp -j MAC_RULE
#########################################

and at the top make the MAC_RULE:
iptables -N MAC_RULE
iptables -A MAC_RULE -j ACCEPT -m mac --mac-source G0:0d:mac:address
iptables -A MAC_RULE -j ACCEPT -m mac --mac-source Another:go0d:mac:address
iptables -A MAC_RULE -j DROP
#########################################

I've never done, just thought of it...hope that helps!
If a Good_MAC matches it will pass, then all the bad ones will get dropped.

ranjan303 · 12-14-2003, 03:12 AM

Hi Je_fro ,

thanx for your reply, it certainly gave me a direction. I have modified my test firewall.sh script which runs everytime I reboot the box. Lemme know your thoughts on this.

/sbin/iptables -A INPUT -p tcp -j MAC_RULE

iptables -N MAC_RULE

iptables -A MAC_RULE -j DROP

iptables -N MAC_RULE
iptables -A MAC_RULE -j ACCEPT -m mac --mac-source 00:07:40:4C:EE:00
iptables -A MAC_RULE -j DROP

# old mac blocking rules
# /sbin/iptables -A INPUT -j DROP -m mac --mac-source 08:00:46:67:B1:5E
# /sbin/iptables -A INPUT -j DROP -m mac --mac-source 00:08:0D:EF:13:12
# /sbin/iptables -A INPUT -j DROP -m mac --mac-source 00:07:40:1C:1E:A2

/sbin/iptables -A FORWARD -p tcp -j MAC_RULE

# worm blocking restriction to help with welchia infection
/sbin/iptables -A FORWARD -j DROP -p icmp --icmp-type 0
/sbin/iptables -A FORWARD -j DROP -p icmp --icmp-type 8
/sbin/iptables -A FORWARD -j DROP -p tcp --dport 135:139
/sbin/iptables -A FORWARD -j DROP -p udp --dport 135:139

/sbin/iptables -A OUTPUT -j DROP -p icmp --icmp-type 0
/sbin/iptables -A OUTPUT -j DROP -p icmp --icmp-type 8
/sbin/iptables -A OUTPUT -j DROP -p tcp --dport 135:139
/sbin/iptables -A OUTPUT -j DROP -p udp --dport 135:139

Thanx again for your help.

Ranjan.

je_fro · 12-14-2003, 03:16 AM

iptables likes to traverse the rules until it has an exact match...then it jumps out. So...

iptables -N MAC_RULE
iptables -A MAC_RULE -j ACCEPT -m mac --mac-source 00:07:40:4C:EE:00 <--is this address authorized? Hope So!!!
iptables -A MAC_RULE -j DROP

# old mac blocking rules
# /sbin/iptables -A INPUT -j DROP -m mac --mac-source 08:00:46:67:B1:5E
# /sbin/iptables -A INPUT -j DROP -m mac --mac-source 00:08:0D:EF:13:12
# /sbin/iptables -A INPUT -j DROP -m mac --mac-source 00:07:40:1C:1E:A2

/sbin/iptables -A INPUT -p tcp -j MAC_RULE (here it jumps up and looks for a match (trusted MAC) if it doesn't find one, it hits the last line in MAC_RULE and drops the connection.)
/sbin/iptables -A FORWARD -p tcp -j MAC_RULE

HTH

ranjan303 · 12-14-2003, 03:21 AM

hi je_fro,

thanx for that explanation. I will give it a go and let you know.

thanx again.

Ranjan.

je_fro · 12-14-2003, 03:22 AM

my pleasure.

/bin/bash · 12-14-2003, 03:26 AM

Expanding on what je_fro posted, you could have a file like /etc/hosts.allow but it's /etc/macs.allow or something like that. Then in your iptables script you do this:

Code:

for MAC in `cat /etc/macs.allow`
	do
	iptables -A MAC_RULE -j ACCEPT -m mac --mac-source "$MAC"
done

<edit> Of course the contents of /etc/macs.allow would be a list of good mac addresses something like this:

00:01:02:03:04:05
00:01:02:03:04:06
00:01:02:03:04:07
00:01:02:03:04:08

ranjan303 · 12-14-2003, 05:17 AM

Hi /bin/bash

after the code that you put in

Code:

 

 for MAC in `cat /etc/macs.allow`
	do
	iptables -A MAC_RULE -j ACCEPT -m mac --mac-source "$MAC" 
done

do I have to put any rule after the code so that iptables drops packets from all MACs which are not listed in the file or will it happen by itself ?
Also do I chmod it 755 ?

Thanx for your suggestion, its pretty good too.
thanx a lot ,

Ranjan

ranjan303 · 12-14-2003, 06:06 AM

hi Guys,

just tried the script, this is how it looks like ..

#!/bin/sh

/sbin/iptales -N MAC_RULE

for MAC in `cat /etc/macs.allow`
do
iptables -A MAC_RULE -j ACCEPT -m mac --mac-source "$MAC"
done

/sbin/iptables -A INPUT -p tcp -j MAC_RULE
/sbin/iptables -A FORWARD -p tcp -j MAc_RULE

I saved the file as firewall.sh in the init.d directory and chmod it 755 , when I run it from the prompt # sh firewall.sh
I get the error
iptables: Chain already exists
iptables v1.2.7a: Bad mac address 'cat /etc/macs.allow'
try iptables -h etc

I have created the macs.allow in the /etc directory with two MACs in it.

Your help will be very appreciated.

thanx again,

Ranjan

Colossis · 12-14-2003, 08:57 AM

normally you want to clear the tables at the beginning of your script

something like this:

Code:

ipt="/bin/iptables"

# Delete table rules, chains and counters
for table in filter nat mangle
do
$ipt -t $table -F # flush
$ipt -t $table -X # delete
$ipt -t $table -Z # zero
done

Look this thread for a more detailed example (that's where a borrowed the above code):
http://www.linuxquestions.org/questi...hreadid=115121

homey · 12-14-2003, 09:41 AM

I have two scripts. The first one called "scanmac" is used to create a list of ip addresses and related mac addresses. The second script called "mac" runs the first script and creates an iptables rule.
In this case, I created an ACCEPT rule based on known good mac addresses. You probably can create a DENY rule based on these scripts also.

Here is the "mac" script................
____________________________________________________
#!/bin/bash
#

#Note: change the ip address range to match your needs.

sh scanmac 192.168.1.1 192.168.1.5 | grep "IP:" > test.txt

mac="/home/test.txt"
cat ${mac} | \
while read IP NUMBER MC DASH NUM
do
/sbin/iptables -A INPUT -m mac --mac-source ${NUM} -j ACCEPT

done

#End

________________________________________________________

Here is the "scanmac" script.....................

_____________________________________

#!/bin/bash

if [ -z "$1" -o "$1" == "-?" ] ; then
echo "Usage: scanmac starting-ip [ending-ip]"
echo
echo "Will list IP and MAC adresses of all active computers"
echo "within a physical network segment."
echo
echo "If ending-ip is omitted, ending-ip = starting-ip+1"
echo " (so that only the host specified will be scanned)."
echo
echo "If you wish to scan from 192.168.2.1 to 192.168.2.31,"
echo " inclusive, specify ending-ip to be 192.168.2.32."
echo

exit 0
fi

startw=$(echo "$1" | cut -d. -f1)
startx=$(echo "$1" | cut -d. -f2)
starty=$(echo "$1" | cut -d. -f3)
startz=$(echo "$1" | cut -d. -f4)

echo "Starting address: $startw.$startx.$starty.$startz"

endip="$2"

if [ -z "$endip" ] ; then
if [ $startz -eq 255 ] ; then
endz=0

if [ $starty -eq 255 ] ; then
endy=0

if [ $startx -eq 255 ] ; then
endx=0

if [ $startw -eq 255 ] ; then
echo "Sorry, you cannot just scan 255.255.255.255."
echo " Maybe later, or you can try to hack support in."

exit 1
else
endw=$(($startw+1))
fi
else
endx=$(($startx+1))
fi
else
endy=$(($starty+1))
fi
else
endz=$(($startz+1))
fi

endip=$endw.$endx.$endy.$endz
fi

echo "Ending address: $endip"

currentw=$startw
currentx=$startx
currenty=$starty
currentz=$startz

currentip=$currentw.$currentx.$currenty.$currentz

# If the bottom octet is zero, it'll get logged inside the while, so
# don't do it here

if [ "$currentz" -ne "0" ] ; then
echo "$(date): $currentip"
fi

trap "exit 15" 15
trap "exit 2" 2

while [ "$currentip" != "$endip" ] ; do
currentip=$currentw.$currentx.$currenty.$currentz

# another log message whenever the bottom octet rolls over

if [ "$currentz" -eq "0" ] ; then
echo "$(date): $currentip"
fi

ping -c 1 -w 10 $currentip >/dev/null 2>&1

mac=$(arp -a $currentip | cut -d' ' -f4)

case "$mac" in
?incomplete?)
: # do nothing -- no MAC for this IP
;;
entries)
: # again, do nothing -- this is a broadcast address
;;
*)
echo "IP: $currentip -- MAC: $mac"
;;
esac

mac="" # reset for the next loop iteration

# now increment the ip values (w,x,y,z)

if [ $currentz -eq 255 ] ; then
currentz=0
else
currentz=$(($currentz+1))
continue
fi

if [ $currenty -eq 255 ] ; then
currenty=0
else
currenty=$(($currenty+1))
continue
fi

if [ $currentx -eq 255 ] ; then
currentx=0
else
currentx=$(($currentx+1))
continue
fi

if [ $currentw -eq 255 ] ; then
break
else
currentz=$(($currentz+1))
continue
fi
done

/bin/bash · 12-14-2003, 09:54 AM

Quote:

iptables v1.2.7a: Bad mac address 'cat /etc/macs.allow'

Make sure you have (`) backtic marks around the `cat /etc/macs.allow` and not (') single quotes.

/bin/bash · 12-14-2003, 10:03 AM

You know Ranjan it is a trivial matter to change your MAC address in Linux.

Just hope that no one on your network figures that one out.