Hi,

We have following setup for Internet access through broadband connection:

1) FC4
2) Squid
3) Dansguardian
4) eth0 into our LAN
5) eth1 is on modem with static public ip

I want to allow certain IPs with Mac addresses and rest all to be stopped. In this regard, as new to iptables, please let me know with example based on the above said setup.

I tried with the following but in vain:

iptables -P INPUT DROP
/sbin/iptables -A INPUT -s xxx.xxx.x.xxx -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT

If i give second rule alone works but if any body changes their IP still they can access. If i put both the rules nobody are able to access Internet.

Thanks & regards,

Ekalavya

The problem here is that we do not know which rules you have in already, as i dont recall seeing you flush previous rules out...

I never block/allow internet access through mac address through iptables but you can create mac base acl in squid to allow/deny particular mac address.

Since this is a router box you might want to put the rule in the FORWARD table not the INPUT table and a corresponding established,related rule also in FORWARD

i did as per your suggestion, but still if somebody changes mac address can still access.

Can you please share dansguardian and Squid configuration. As a paranoid measure, i want to implement this.

Thanks & regards,

Ekavalya

For one thing, you don't want "iptables -P INPUT DROP" above anything that you want to have access. Iptables rules work like a waterfall. If a rule matches it is acted upon and the process stops. If there is no match, then it continues on to the next rule. Therefore you want to put this as the last line of your rules to make it a default catch all.

I second estabroo's comments that given your setup, you will want to put restrictions somewhere other than your INPUT table. Also, ip tables has functions that assist with routing and can be used to perform NAT, which may be beneficial to you for configuring a router.

Now lets look at your rule: -A INPUT -s xxx.xxx.x.xxx -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT.

As you pointed out, using just this has little effect IP address changes and it becomes useless. In the IP address (-s xxx....) you will need to specify the range of addresses that a host can be assigned (xxx.xxx.xxx.xxx/CIDR mask) OR guarantee that each host gets a particular IP address that doesn't change. By following this command with the -A INPUT -j DROP as a last rule, unless the mac address matches, it will get dropped.

As was also pointed out, implementing this through your proxy may be a better approach.

One important point to remember: this method will NOT be fool proof. It is possible to obtain the MAC addresses associated with an access point, especially if wireless devices are involved and then spoof as that mac address. It may be another hurdle for an attacker to get past, but do not put this in place and consider yourself secure. Continue to secure the rest of the network as if this feature were not even in place.

Hi,

Thank you for your reply.

Can you please provide me eg. of iptables rule based on my scenario as explained by you.

Thanks & regards,

Ekalavya.

That's not how it works. That command sets the policy for the INPUT chain. There is no need to execute that command before or after any rule commands. Setting a chain's policy is not the same as implementing a rule in a chain.

FWIW, a catch all rule would look like this (example):That sort of rule would definitely need to go at the end of the chain.

Win32sux,

Thank you for catching my error. I read the original post as meaning that when he put that line in that everything was blocked and was thinking that it stopped everything, which one needs to be careful of with IPtables, and then mis-interpreted it as a defacto drop statement.