Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
#!/bin/sh
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptales -N MAC_RULE
for MAC in `cat /etc/macs.allow`
do
iptables -A MAC_RULE -j ACCEPT -m mac --mac-source "$MAC"
done
iptables -A MAC_RULE -j DROP <---Don't forget to drop the unknown macs.
/sbin/iptables -A INPUT -p tcp -j MAC_RULE
/sbin/iptables -A FORWARD -p tcp -j MAC_RULE
when I run the script I get the error
Can't delete the chain with refrences left. If I comment out the -X rule it works fine, but, then I loose all conitivity to my LAN clients even though their MACs are in the macs.allow file. If I comment out the -F rule then the scripts runs file but then those machines whoes MACs are not there in the file are still able to connect. I am using the script for MASQ from http://www.tldp.org/HOWTO/IP-Masquer...-examples.html which has the bare minimum firewall rule set just to get MASQ working. Also with the /sbin/iptables -N MAC_RULE ruleset first time it runs fine but next I get the error Chain already exists . That problay is cos I have commented out the -F and -X rules i think.
IPTABLES=/sbin/iptables
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -F
$IPTABLES -X
The -X flag should delete the MAC_RULE chain before it is freshly reloaded. This is so that every time your script does $IPTABLES -N MAC_RULE it doesn't error out saying "rule exists".
If this doesn't work, since MAC_RULE exists, just take out the IPTABLES -X option.
Let me know if that works...
I have a linux box running squid and iptables for Transparent proxy. I was lookin for permiting connection just a valid computers. Then i read the message DESPERATE: Iptables block users by MAC address. I probe the advised that je_fro post it and all is ok.
But when i including it to my rules the clients can connect to Web request. But when the clients need connect via ssh to other servers can't do it. If i comment blocking mac address rule, they can connect ssh without problem.
I follow the advised that ranjan303 post it but don't work. What do u suggest me?
thanks a lot to everyone
####################################################################
#!/bin/bash
echo -e Beginning rules.........
#inicializa modulos
# default policies
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP
############# blockin computers via mac address
/sbin/iptables -N MAC_RULE
#valid computers (just test)
/sbin/iptables -A MAC_RULE -i eth1 -m mac --mac-source 00:11:02:C1:F4:BF -j ACCEPT
/sbin/iptables -A MAC_RULE -i eth1 -m mac --mac-source 00:11:12:12:C3:B7 -j ACCEPT
#the rest is block
/sbin/iptables -A MAC_RULE -j DROP
/sbin/iptables -A INPUT -p tcp -j MAC_RULE
/sbin/iptables -A FORWARD -p tcp -j MAC_RULE
##### blocking syn flooding
/sbin/iptables -N syn-flood
/sbin/iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
/sbin/iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
/sbin/iptables -A syn-flood -j DROP
##### no spoofing
/sbin/iptables -A INPUT -i eth0 -s $IPLOCAL -j DROP
######## let ssh connection
/sbin/iptables -A INPUT -s $MAQ1 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -d $MAQ1 -p tcp -m tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
################### NAT:
/sbin/iptables -t nat -A POSTROUTING -o eth0 -s $LOCALNET -d 0/0 -j SNAT --to-source $VALIDIP
#####
#/sbin/iptables -A FORWARD -j MAC_RULE #adding this line, don't work yet
#######
/sbin/iptables -A FORWARD -i eth1 -o eth0 -s $LOCALNET -d 0/0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
you are correct, but the hacker needs to know a trusted mac to get in and in the last two years this script has been in use, none of the users have been able to guess it. Ranj.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.