Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
We have following setup for Internet access through broadband connection:
1) FC4
2) Squid
3) Dansguardian
4) eth0 into our LAN
5) eth1 is on modem with static public ip
I want to allow certain IPs with Mac addresses and rest all to be stopped. In this regard, as new to iptables, please let me know with example based on the above said setup.
I tried with the following but in vain:
iptables -P INPUT DROP
/sbin/iptables -A INPUT -s xxx.xxx.x.xxx -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT
If i give second rule alone works but if any body changes their IP still they can access. If i put both the rules nobody are able to access Internet.
We have following setup for Internet access through broadband connection:
1) FC4
2) Squid
3) Dansguardian
4) eth0 into our LAN
5) eth1 is on modem with static public ip
I want to allow certain IPs with Mac addresses and rest all to be stopped. In this regard, as new to iptables, please let me know with example based on the above said setup.
I tried with the following but in vain:
iptables -P INPUT DROP
/sbin/iptables -A INPUT -s xxx.xxx.x.xxx -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT
If i give second rule alone works but if any body changes their IP still they can access. If i put both the rules nobody are able to access Internet.
Thanks & regards,
Ekalavya
The problem here is that we do not know which rules you have in already, as i dont recall seeing you flush previous rules out...
I never block/allow internet access through mac address through iptables but you can create mac base acl in squid to allow/deny particular mac address.
Since this is a router box you might want to put the rule in the FORWARD table not the INPUT table and a corresponding established,related rule also in FORWARD
I never block/allow internet access through mac address through iptables but you can create mac base acl in squid to allow/deny particular mac address.
Code:
acl aclname arp macaddress
i did as per your suggestion, but still if somebody changes mac address can still access.
Can you please share dansguardian and Squid configuration. As a paranoid measure, i want to implement this.
For one thing, you don't want "iptables -P INPUT DROP" above anything that you want to have access. Iptables rules work like a waterfall. If a rule matches it is acted upon and the process stops. If there is no match, then it continues on to the next rule. Therefore you want to put this as the last line of your rules to make it a default catch all.
I second estabroo's comments that given your setup, you will want to put restrictions somewhere other than your INPUT table. Also, ip tables has functions that assist with routing and can be used to perform NAT, which may be beneficial to you for configuring a router.
Now lets look at your rule: -A INPUT -s xxx.xxx.x.xxx -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT.
As you pointed out, using just this has little effect IP address changes and it becomes useless. In the IP address (-s xxx....) you will need to specify the range of addresses that a host can be assigned (xxx.xxx.xxx.xxx/CIDR mask) OR guarantee that each host gets a particular IP address that doesn't change. By following this command with the -A INPUT -j DROP as a last rule, unless the mac address matches, it will get dropped.
As was also pointed out, implementing this through your proxy may be a better approach.
One important point to remember: this method will NOT be fool proof. It is possible to obtain the MAC addresses associated with an access point, especially if wireless devices are involved and then spoof as that mac address. It may be another hurdle for an attacker to get past, but do not put this in place and consider yourself secure. Continue to secure the rest of the network as if this feature were not even in place.
For one thing, you don't want "iptables -P INPUT DROP" above anything that you want to have access. Iptables rules work like a waterfall. If a rule matches it is acted upon and the process stops. If there is no match, then it continues on to the next rule. Therefore you want to put this as the last line of your rules to make it a default catch all.
I second estabroo's comments that given your setup, you will want to put restrictions somewhere other than your INPUT table. Also, ip tables has functions that assist with routing and can be used to perform NAT, which may be beneficial to you for configuring a router.
Now lets look at your rule: -A INPUT -s xxx.xxx.x.xxx -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT.
As you pointed out, using just this has little effect IP address changes and it becomes useless. In the IP address (-s xxx....) you will need to specify the range of addresses that a host can be assigned (xxx.xxx.xxx.xxx/CIDR mask) OR guarantee that each host gets a particular IP address that doesn't change. By following this command with the -A INPUT -j DROP as a last rule, unless the mac address matches, it will get dropped.
As was also pointed out, implementing this through your proxy may be a better approach.
One important point to remember: this method will NOT be fool proof. It is possible to obtain the MAC addresses associated with an access point, especially if wireless devices are involved and then spoof as that mac address. It may be another hurdle for an attacker to get past, but do not put this in place and consider yourself secure. Continue to secure the rest of the network as if this feature were not even in place.
Hi,
Thank you for your reply.
Can you please provide me eg. of iptables rule based on my scenario as explained by you.
For one thing, you don't want "iptables -P INPUT DROP" above anything that you want to have access. Iptables rules work like a waterfall. If a rule matches it is acted upon and the process stops. If there is no match, then it continues on to the next rule. Therefore you want to put this as the last line of your rules to make it a default catch all.
That's not how it works. That command sets the policy for the INPUT chain. There is no need to execute that command before or after any rule commands. Setting a chain's policy is not the same as implementing a rule in a chain.
FWIW, a catch all rule would look like this (example):
Code:
iptables -A INPUT -j DROP
That sort of rule would definitely need to go at the end of the chain.
Thank you for catching my error. I read the original post as meaning that when he put that line in that everything was blocked and was thinking that it stopped everything, which one needs to be careful of with IPtables, and then mis-interpreted it as a defacto drop statement.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.