Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
thanx for reading this. I am trying to authenticate only those PC that I know of and reject access to internet to the rest of them using MACs. The box is running rh9 with iptables is my internet gateway.
Currently I am able to block those staff who bring their laptop after we detect it using a third party software by putting the following rule in iptables
/sbin/iptables -A INPUT -j DROP -m mac --mac-source 08:00:46:67:B1:5E
What I really wanna do is to put all MACs that belong to us in the iptables and only authorise them to access the internet, and block everyone else automatically by default. Is it possible ? How do I do it. Please help, as I spent most of the time scanning ip ranges for unauthorised pcs/laptops.
Pass all the forward and input rules through MAC_RULE first...
like
iptables -A FORWARD -p tcp -j MAC_RULE
#########################################
and at the top make the MAC_RULE:
iptables -N MAC_RULE
iptables -A MAC_RULE -j ACCEPT -m mac --mac-source G0:0d:mac:address
iptables -A MAC_RULE -j ACCEPT -m mac --mac-source Another:go0d:mac:address
iptables -A MAC_RULE -j DROP
#########################################
I've never done, just thought of it...hope that helps!
If a Good_MAC matches it will pass, then all the bad ones will get dropped.
thanx for your reply, it certainly gave me a direction. I have modified my test firewall.sh script which runs everytime I reboot the box. Lemme know your thoughts on this.
/sbin/iptables -A INPUT -p tcp -j MAC_RULE
iptables -N MAC_RULE
iptables -A MAC_RULE -j DROP
iptables -N MAC_RULE
iptables -A MAC_RULE -j ACCEPT -m mac --mac-source 00:07:40:4C:EE:00
iptables -A MAC_RULE -j DROP
# old mac blocking rules
# /sbin/iptables -A INPUT -j DROP -m mac --mac-source 08:00:46:67:B1:5E
# /sbin/iptables -A INPUT -j DROP -m mac --mac-source 00:08:0D:EF:13:12
# /sbin/iptables -A INPUT -j DROP -m mac --mac-source 00:07:40:1C:1E:A2
/sbin/iptables -A FORWARD -p tcp -j MAC_RULE
# worm blocking restriction to help with welchia infection
/sbin/iptables -A FORWARD -j DROP -p icmp --icmp-type 0
/sbin/iptables -A FORWARD -j DROP -p icmp --icmp-type 8
/sbin/iptables -A FORWARD -j DROP -p tcp --dport 135:139
/sbin/iptables -A FORWARD -j DROP -p udp --dport 135:139
/sbin/iptables -A OUTPUT -j DROP -p icmp --icmp-type 0
/sbin/iptables -A OUTPUT -j DROP -p icmp --icmp-type 8
/sbin/iptables -A OUTPUT -j DROP -p tcp --dport 135:139
/sbin/iptables -A OUTPUT -j DROP -p udp --dport 135:139
iptables likes to traverse the rules until it has an exact match...then it jumps out. So...
iptables -N MAC_RULE
iptables -A MAC_RULE -j ACCEPT -m mac --mac-source 00:07:40:4C:EE:00 <--is this address authorized? Hope So!!!
iptables -A MAC_RULE -j DROP
# old mac blocking rules
# /sbin/iptables -A INPUT -j DROP -m mac --mac-source 08:00:46:67:B1:5E
# /sbin/iptables -A INPUT -j DROP -m mac --mac-source 00:08:0D:EF:13:12
# /sbin/iptables -A INPUT -j DROP -m mac --mac-source 00:07:40:1C:1E:A2
/sbin/iptables -A INPUT -p tcp -j MAC_RULE (here it jumps up and looks for a match (trusted MAC) if it doesn't find one, it hits the last line in MAC_RULE and drops the connection.)
/sbin/iptables -A FORWARD -p tcp -j MAC_RULE
Expanding on what je_fro posted, you could have a file like /etc/hosts.allow but it's /etc/macs.allow or something like that. Then in your iptables script you do this:
Code:
for MAC in `cat /etc/macs.allow`
do
iptables -A MAC_RULE -j ACCEPT -m mac --mac-source "$MAC"
done
<edit> Of course the contents of /etc/macs.allow would be a list of good mac addresses something like this:
for MAC in `cat /etc/macs.allow`
do
iptables -A MAC_RULE -j ACCEPT -m mac --mac-source "$MAC"
done
do I have to put any rule after the code so that iptables drops packets from all MACs which are not listed in the file or will it happen by itself ?
Also do I chmod it 755 ?
Thanx for your suggestion, its pretty good too.
thanx a lot ,
just tried the script, this is how it looks like ..
#!/bin/sh
/sbin/iptales -N MAC_RULE
for MAC in `cat /etc/macs.allow`
do
iptables -A MAC_RULE -j ACCEPT -m mac --mac-source "$MAC"
done
/sbin/iptables -A INPUT -p tcp -j MAC_RULE
/sbin/iptables -A FORWARD -p tcp -j MAc_RULE
I saved the file as firewall.sh in the init.d directory and chmod it 755 , when I run it from the prompt # sh firewall.sh
I get the error
iptables: Chain already exists
iptables v1.2.7a: Bad mac address 'cat /etc/macs.allow'
try iptables -h etc
I have created the macs.allow in the /etc directory with two MACs in it.
I have two scripts. The first one called "scanmac" is used to create a list of ip addresses and related mac addresses. The second script called "mac" runs the first script and creates an iptables rule.
In this case, I created an ACCEPT rule based on known good mac addresses. You probably can create a DENY rule based on these scripts also.
Here is the "mac" script................
____________________________________________________
#!/bin/bash
#
#Note: change the ip address range to match your needs.
sh scanmac 192.168.1.1 192.168.1.5 | grep "IP:" > test.txt
mac="/home/test.txt"
cat ${mac} | \
while read IP NUMBER MC DASH NUM
do
/sbin/iptables -A INPUT -m mac --mac-source ${NUM} -j ACCEPT
if [ -z "$1" -o "$1" == "-?" ] ; then
echo "Usage: scanmac starting-ip [ending-ip]"
echo
echo "Will list IP and MAC adresses of all active computers"
echo "within a physical network segment."
echo
echo "If ending-ip is omitted, ending-ip = starting-ip+1"
echo " (so that only the host specified will be scanned)."
echo
echo "If you wish to scan from 192.168.2.1 to 192.168.2.31,"
echo " inclusive, specify ending-ip to be 192.168.2.32."
echo
# If the bottom octet is zero, it'll get logged inside the while, so
# don't do it here
if [ "$currentz" -ne "0" ] ; then
echo "$(date): $currentip"
fi
trap "exit 15" 15
trap "exit 2" 2
while [ "$currentip" != "$endip" ] ; do
currentip=$currentw.$currentx.$currenty.$currentz
# another log message whenever the bottom octet rolls over
if [ "$currentz" -eq "0" ] ; then
echo "$(date): $currentip"
fi
ping -c 1 -w 10 $currentip >/dev/null 2>&1
mac=$(arp -a $currentip | cut -d' ' -f4)
case "$mac" in
?incomplete?)
: # do nothing -- no MAC for this IP
;;
entries)
: # again, do nothing -- this is a broadcast address
;;
*)
echo "IP: $currentip -- MAC: $mac"
;;
esac
mac="" # reset for the next loop iteration
# now increment the ip values (w,x,y,z)
if [ $currentz -eq 255 ] ; then
currentz=0
else
currentz=$(($currentz+1))
continue
fi
if [ $currenty -eq 255 ] ; then
currenty=0
else
currenty=$(($currenty+1))
continue
fi
if [ $currentx -eq 255 ] ; then
currentx=0
else
currentx=$(($currentx+1))
continue
fi
if [ $currentw -eq 255 ] ; then
break
else
currentz=$(($currentz+1))
continue
fi
done
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.