Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Slackware & Slamd64. What else is there?
Posts: 1,705
Rep:
How is MAC being obtained?
Hi,
I am trying to secure a wireless router which is also running my LAN. Until I can get some more hardware I have installed arno iptables firewall on my Slackware boxes and it seems to do most of what I want. All the boxes on the LAN can talk to each other except for the wireless nodes which come in on certain IPs. The wired boxes have dedicated IPs so they shouldn't be leased to wireless nodes. It seems like its working because the wired boxes can get to my webserver but the wireless nodes can't which is what I want.
I notice I can't protect against NMAP obtaining the MAC of the wired LAN boxes.
How is this information being obtained and can I create an iptables rule to stop it?
I notice I can't protect against NMAP obtaining the MAC of the wired LAN boxes.
How is this information being obtained and can I create an iptables rule to stop it?
MAC addresses are obtained as part of (and required for) layer 2 ethernet communication. See the OSI model enumeration for more details on that.
IIRC, iptables is able to perform layer 2 filtering, but I am not sure it will solve the problem you're describing.
If the goal is simply to cloak the true MAC addresses of the NICs in the wired boxes, another possibility may be to spoof their MAC addresses to something fictional of your choosing.
Distribution: Slackware & Slamd64. What else is there?
Posts: 1,705
Original Poster
Rep:
Hi guys, it was too late when I realized the MAC addresses are part of the packets. But it should go away once it crosses the NAT layer in the router, correct? Then it will be only the MAC of the router.
I started another thread and didn't get much feedback but what I am trying to do is to allow certain people to get to the internet using my wireless router but I want them off my LAN so that the inevitable hacking doesn't lead to compromising my LAN. All I have is one DSL router. I did all the obvious stuff like using a strong passphrase and having a list of authenticated MACs but I still don't trust it. Maybe I could set up a subnet for the wireless clients but I couldn't figure out how to do it on this router.
What's the correct way to accomplish this? I basically want to firewall my LAN but allow wireless clients to get only to the internet and not see my LAN at all. Do I just slap a hardware firewall behing my router and run all the LAN off of it? If these questions don't make sense it's because I haven't ever looked into networking. It just kind of happened badly as I got more boxes. Thank you.
Hi guys, it was too late when I realized the MAC addresses are part of the packets. But it should go away once it crosses the NAT layer in the router, correct?
Technically they are part of the frames which the packets are encapsultaed in. And yes, they only work within the LAN, as frames are non-routable (unlike packets).
Quote:
I basically want to firewall my LAN but allow wireless clients to get only to the internet and not see my LAN at all. Do I just slap a hardware firewall behing my router and run all the LAN off of it?
That's definitely an option worth considering. BTW, if you could post the brand/model of the router it would be great, as we could look at its feature set.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.