LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-14-2003, 01:04 AM   #1
ranjan303
LQ Newbie
 
Registered: Nov 2003
Location: Australia
Posts: 16

Rep: Reputation: 0
Question DESPERATE : Iptables block users by MAC address.


Hi All,

thanx for reading this. I am trying to authenticate only those PC that I know of and reject access to internet to the rest of them using MACs. The box is running rh9 with iptables is my internet gateway.

Currently I am able to block those staff who bring their laptop after we detect it using a third party software by putting the following rule in iptables

/sbin/iptables -A INPUT -j DROP -m mac --mac-source 08:00:46:67:B1:5E

What I really wanna do is to put all MACs that belong to us in the iptables and only authorise them to access the internet, and block everyone else automatically by default. Is it possible ? How do I do it. Please help, as I spent most of the time scanning ip ranges for unauthorised pcs/laptops.

thanx again,

Ranjan.
 
Old 12-14-2003, 01:16 AM   #2
Colossis
LQ Newbie
 
Registered: Mar 2003
Distribution: VectorLinux 4.0
Posts: 11

Rep: Reputation: Disabled
just have a for loop going through all the mac addresses that you will accept, and then after that loop drop all other mac addresses

the accepts will take precedence over the drop all...


I'm beginner, but I think that's what you want to do... someone please correct me if i'm wrong.
 
Old 12-14-2003, 01:23 AM   #3
ranjan303
LQ Newbie
 
Registered: Nov 2003
Location: Australia
Posts: 16

Original Poster
Rep: Reputation: 0
thanx for your reply, but how do I drop all the packets from the other MACs that are on the network ?
 
Old 12-14-2003, 03:31 AM   #4
je_fro
Member
 
Registered: Nov 2002
Location: /texas/austin/home/desk
Distribution: Gentoo
Posts: 341

Rep: Reputation: 30
Maybe make a new rule: MAC_RULE

Pass all the forward and input rules through MAC_RULE first...
like
iptables -A FORWARD -p tcp -j MAC_RULE
#########################################

and at the top make the MAC_RULE:
iptables -N MAC_RULE
iptables -A MAC_RULE -j ACCEPT -m mac --mac-source G0:0d:mac:address
iptables -A MAC_RULE -j ACCEPT -m mac --mac-source Another:go0d:mac:address
iptables -A MAC_RULE -j DROP
#########################################

I've never done, just thought of it...hope that helps!
If a Good_MAC matches it will pass, then all the bad ones will get dropped.
 
Old 12-14-2003, 04:12 AM   #5
ranjan303
LQ Newbie
 
Registered: Nov 2003
Location: Australia
Posts: 16

Original Poster
Rep: Reputation: 0
Hi Je_fro ,

thanx for your reply, it certainly gave me a direction. I have modified my test firewall.sh script which runs everytime I reboot the box. Lemme know your thoughts on this.

/sbin/iptables -A INPUT -p tcp -j MAC_RULE

iptables -N MAC_RULE

iptables -A MAC_RULE -j DROP

iptables -N MAC_RULE
iptables -A MAC_RULE -j ACCEPT -m mac --mac-source 00:07:40:4C:EE:00
iptables -A MAC_RULE -j DROP

# old mac blocking rules
# /sbin/iptables -A INPUT -j DROP -m mac --mac-source 08:00:46:67:B1:5E
# /sbin/iptables -A INPUT -j DROP -m mac --mac-source 00:08:0D:EF:13:12
# /sbin/iptables -A INPUT -j DROP -m mac --mac-source 00:07:40:1C:1E:A2


/sbin/iptables -A FORWARD -p tcp -j MAC_RULE

# worm blocking restriction to help with welchia infection
/sbin/iptables -A FORWARD -j DROP -p icmp --icmp-type 0
/sbin/iptables -A FORWARD -j DROP -p icmp --icmp-type 8
/sbin/iptables -A FORWARD -j DROP -p tcp --dport 135:139
/sbin/iptables -A FORWARD -j DROP -p udp --dport 135:139

/sbin/iptables -A OUTPUT -j DROP -p icmp --icmp-type 0
/sbin/iptables -A OUTPUT -j DROP -p icmp --icmp-type 8
/sbin/iptables -A OUTPUT -j DROP -p tcp --dport 135:139
/sbin/iptables -A OUTPUT -j DROP -p udp --dport 135:139

Thanx again for your help.

Ranjan.
 
Old 12-14-2003, 04:16 AM   #6
je_fro
Member
 
Registered: Nov 2002
Location: /texas/austin/home/desk
Distribution: Gentoo
Posts: 341

Rep: Reputation: 30
Hmm...

iptables likes to traverse the rules until it has an exact match...then it jumps out. So...



iptables -N MAC_RULE
iptables -A MAC_RULE -j ACCEPT -m mac --mac-source 00:07:40:4C:EE:00 <--is this address authorized? Hope So!!!
iptables -A MAC_RULE -j DROP

# old mac blocking rules
# /sbin/iptables -A INPUT -j DROP -m mac --mac-source 08:00:46:67:B1:5E
# /sbin/iptables -A INPUT -j DROP -m mac --mac-source 00:08:0D:EF:13:12
# /sbin/iptables -A INPUT -j DROP -m mac --mac-source 00:07:40:1C:1E:A2


/sbin/iptables -A INPUT -p tcp -j MAC_RULE (here it jumps up and looks for a match (trusted MAC) if it doesn't find one, it hits the last line in MAC_RULE and drops the connection.)
/sbin/iptables -A FORWARD -p tcp -j MAC_RULE

HTH
 
Old 12-14-2003, 04:21 AM   #7
ranjan303
LQ Newbie
 
Registered: Nov 2003
Location: Australia
Posts: 16

Original Poster
Rep: Reputation: 0
hi je_fro,

thanx for that explanation. I will give it a go and let you know.

thanx again.

Ranjan.
 
Old 12-14-2003, 04:22 AM   #8
je_fro
Member
 
Registered: Nov 2002
Location: /texas/austin/home/desk
Distribution: Gentoo
Posts: 341

Rep: Reputation: 30
Talking heh...

my pleasure.
 
Old 12-14-2003, 04:26 AM   #9
/bin/bash
Senior Member
 
Registered: Jul 2003
Location: Indiana
Distribution: Mandrake Slackware-current QNX4.25
Posts: 1,802

Rep: Reputation: 46
Expanding on what je_fro posted, you could have a file like /etc/hosts.allow but it's /etc/macs.allow or something like that. Then in your iptables script you do this:

Code:
for MAC in `cat /etc/macs.allow`
	do
	iptables -A MAC_RULE -j ACCEPT -m mac --mac-source "$MAC"
done
<edit> Of course the contents of /etc/macs.allow would be a list of good mac addresses something like this:

00:01:02:03:04:05
00:01:02:03:04:06
00:01:02:03:04:07
00:01:02:03:04:08

Last edited by /bin/bash; 12-14-2003 at 04:28 AM.
 
Old 12-14-2003, 06:17 AM   #10
ranjan303
LQ Newbie
 
Registered: Nov 2003
Location: Australia
Posts: 16

Original Poster
Rep: Reputation: 0
good one.

Hi /bin/bash

after the code that you put in
Code:
 

 for MAC in `cat /etc/macs.allow`
	do
	iptables -A MAC_RULE -j ACCEPT -m mac --mac-source "$MAC" 
done
do I have to put any rule after the code so that iptables drops packets from all MACs which are not listed in the file or will it happen by itself ?
Also do I chmod it 755 ?

Thanx for your suggestion, its pretty good too.
thanx a lot ,

Ranjan

Last edited by ranjan303; 12-14-2003 at 06:19 AM.
 
Old 12-14-2003, 07:06 AM   #11
ranjan303
LQ Newbie
 
Registered: Nov 2003
Location: Australia
Posts: 16

Original Poster
Rep: Reputation: 0
tried the script

hi Guys,

just tried the script, this is how it looks like ..


#!/bin/sh

/sbin/iptales -N MAC_RULE

for MAC in `cat /etc/macs.allow`
do
iptables -A MAC_RULE -j ACCEPT -m mac --mac-source "$MAC"
done

/sbin/iptables -A INPUT -p tcp -j MAC_RULE
/sbin/iptables -A FORWARD -p tcp -j MAc_RULE

I saved the file as firewall.sh in the init.d directory and chmod it 755 , when I run it from the prompt # sh firewall.sh
I get the error
iptables: Chain already exists
iptables v1.2.7a: Bad mac address 'cat /etc/macs.allow'
try iptables -h etc

I have created the macs.allow in the /etc directory with two MACs in it.

Your help will be very appreciated.

thanx again,

Ranjan
 
Old 12-14-2003, 09:57 AM   #12
Colossis
LQ Newbie
 
Registered: Mar 2003
Distribution: VectorLinux 4.0
Posts: 11

Rep: Reputation: Disabled
normally you want to clear the tables at the beginning of your script

something like this:

Code:
ipt="/bin/iptables"

# Delete table rules, chains and counters
for table in filter nat mangle
do
$ipt -t $table -F # flush
$ipt -t $table -X # delete
$ipt -t $table -Z # zero
done
Look this thread for a more detailed example (that's where a borrowed the above code):
http://www.linuxquestions.org/questi...hreadid=115121
 
Old 12-14-2003, 10:41 AM   #13
homey
Senior Member
 
Registered: Oct 2003
Posts: 3,057

Rep: Reputation: 56
I have two scripts. The first one called "scanmac" is used to create a list of ip addresses and related mac addresses. The second script called "mac" runs the first script and creates an iptables rule.
In this case, I created an ACCEPT rule based on known good mac addresses. You probably can create a DENY rule based on these scripts also.

Here is the "mac" script................
____________________________________________________
#!/bin/bash
#

#Note: change the ip address range to match your needs.

sh scanmac 192.168.1.1 192.168.1.5 | grep "IP:" > test.txt

mac="/home/test.txt"
cat ${mac} | \
while read IP NUMBER MC DASH NUM
do
/sbin/iptables -A INPUT -m mac --mac-source ${NUM} -j ACCEPT

done

#End

________________________________________________________


Here is the "scanmac" script.....................

_____________________________________

#!/bin/bash

if [ -z "$1" -o "$1" == "-?" ] ; then
echo "Usage: scanmac starting-ip [ending-ip]"
echo
echo "Will list IP and MAC adresses of all active computers"
echo "within a physical network segment."
echo
echo "If ending-ip is omitted, ending-ip = starting-ip+1"
echo " (so that only the host specified will be scanned)."
echo
echo "If you wish to scan from 192.168.2.1 to 192.168.2.31,"
echo " inclusive, specify ending-ip to be 192.168.2.32."
echo

exit 0
fi

startw=$(echo "$1" | cut -d. -f1)
startx=$(echo "$1" | cut -d. -f2)
starty=$(echo "$1" | cut -d. -f3)
startz=$(echo "$1" | cut -d. -f4)

echo "Starting address: $startw.$startx.$starty.$startz"

endip="$2"

if [ -z "$endip" ] ; then
if [ $startz -eq 255 ] ; then
endz=0

if [ $starty -eq 255 ] ; then
endy=0

if [ $startx -eq 255 ] ; then
endx=0

if [ $startw -eq 255 ] ; then
echo "Sorry, you cannot just scan 255.255.255.255."
echo " Maybe later, or you can try to hack support in."

exit 1
else
endw=$(($startw+1))
fi
else
endx=$(($startx+1))
fi
else
endy=$(($starty+1))
fi
else
endz=$(($startz+1))
fi

endip=$endw.$endx.$endy.$endz
fi

echo "Ending address: $endip"

currentw=$startw
currentx=$startx
currenty=$starty
currentz=$startz

currentip=$currentw.$currentx.$currenty.$currentz

# If the bottom octet is zero, it'll get logged inside the while, so
# don't do it here

if [ "$currentz" -ne "0" ] ; then
echo "$(date): $currentip"
fi

trap "exit 15" 15
trap "exit 2" 2

while [ "$currentip" != "$endip" ] ; do
currentip=$currentw.$currentx.$currenty.$currentz

# another log message whenever the bottom octet rolls over

if [ "$currentz" -eq "0" ] ; then
echo "$(date): $currentip"
fi

ping -c 1 -w 10 $currentip >/dev/null 2>&1

mac=$(arp -a $currentip | cut -d' ' -f4)

case "$mac" in
?incomplete?)
: # do nothing -- no MAC for this IP
;;
entries)
: # again, do nothing -- this is a broadcast address
;;
*)
echo "IP: $currentip -- MAC: $mac"
;;
esac

mac="" # reset for the next loop iteration

# now increment the ip values (w,x,y,z)

if [ $currentz -eq 255 ] ; then
currentz=0
else
currentz=$(($currentz+1))
continue
fi

if [ $currenty -eq 255 ] ; then
currenty=0
else
currenty=$(($currenty+1))
continue
fi

if [ $currentx -eq 255 ] ; then
currentx=0
else
currentx=$(($currentx+1))
continue
fi

if [ $currentw -eq 255 ] ; then
break
else
currentz=$(($currentz+1))
continue
fi
done
 
Old 12-14-2003, 10:54 AM   #14
/bin/bash
Senior Member
 
Registered: Jul 2003
Location: Indiana
Distribution: Mandrake Slackware-current QNX4.25
Posts: 1,802

Rep: Reputation: 46
Quote:
iptables v1.2.7a: Bad mac address 'cat /etc/macs.allow'
Make sure you have (`) backtic marks around the `cat /etc/macs.allow` and not (') single quotes.
 
Old 12-14-2003, 11:03 AM   #15
/bin/bash
Senior Member
 
Registered: Jul 2003
Location: Indiana
Distribution: Mandrake Slackware-current QNX4.25
Posts: 1,802

Rep: Reputation: 46
You know Ranjan it is a trivial matter to change your MAC address in Linux.

Just hope that no one on your network figures that one out.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
block mac address Ammad Linux - General 1 09-11-2005 02:00 PM
MAC Address + IPTABLES yvesg Linux - Networking 1 05-10-2004 09:36 PM
iptables : how do I block inbound traffic from one ip address only? Apollo77 Linux - Security 7 03-22-2004 11:22 AM
DESPERATE : Iptables , permit know MAC , block rest. ranjan303 Linux - Networking 3 12-14-2003 10:10 AM
iptables - howto block by a port and IP address -HELP! macnanc Linux - Networking 2 03-07-2003 05:45 AM


All times are GMT -5. The time now is 02:52 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration