LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-11-2010, 09:43 AM   #1
weboy
LQ Newbie
 
Registered: Jul 2010
Posts: 4

Rep: Reputation: 0
IPTABLES Apply Certain Rules to Certain Mac Addresses


Ok, so the firewall rules I am currently using are displayed below.

Code:
# DROP ALL FORWARDED PACKETS
iptables -P FORWARD DROP # DROP ALL PACKETS

# ALLOW DHCP THROUGH THE FIREWALL
iptables -t nat -A PREROUTING -p udp -i br0 -d 255.255.255.255 --dport 67:68 -j DNAT --to 255.255.255.255:67-68 # ALLOW DHCP
iptables -A FORWARD -p udp -i br0 -d 255.255.255.255 --dport 67:68 -j ACCEPT # ALLOW DHCP


# ALLOW DNS TRAFFIc
iptables -A FORWARD -p udp --sport 1024:65535 --dport 53 -j ACCEPT # Someone is sending a DNS REQUEST
iptables -A FORWARD -p udp --sport 53 --dport 1024:65535 -j ACCEPT # Someone is recieving a DNS RESPONSE
iptables -A FORWARD -p tcp --sport 1024:65535 --dport 53 -j ACCEPT # Someone is sending a DNS REQUEST
iptables -A FORWARD -p tcp --sport 53 --dport 1024:65535 -j ACCEPT # Someone is recieving a DNS RESPONSE

# ALLOW HTTP TRAFFIC
iptables -A FORWARD -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT # SOMEONE IS SENDING A REQUEST
iptables -A FORWARD -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # SOMEONE IS SENDING A RESPONSE

# Redirect HTTP REQUESTS
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.23:80
Now what I want to do is have certain MAC addresses, be exempt from all those rules. Primarily I would rather have the rules to have these MAC addresses exempt added after these rules get executed... As exempt mac addresses will be added very often and I do not want to have to re-execute my iptables script every time a new mac address is made exempt, as it may cause issues with the transfer of data over the network, for other users.

Is there anyway of doing this? Or something similiar, or if it comes down to it, a way of doing this before the above iptables rules?

For those that are interested my setup atm is currently that of a Wireless Access Portal, the computer that these commands are being executed are between a wireless access point and my network... This computer has 2 NIC's bridged.

When someone connects to the wireless they are subject to the above rules, meaning when they open their browser they are presented with a login page, once they login, the mac address is grabbed by the auth server, and at this point I am trying to figure out how to make their mac address except from the rules of non-authenticated users.


Internet
^
|
Gateway <--- Bridged Firewall <--- Wireless Access Point
^
|
Auth Server

Any assistance that can be provided is greatly appreciated!

Thanks,
Aaron

Last edited by weboy; 07-11-2010 at 09:44 AM. Reason: Fix visual of network
 
Old 07-11-2010, 01:51 PM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Maybe insert a match for the MAC address at the top of a chain? Like:
Code:
iptables -t nat -I PREROUTING -i br0 -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
To delete the rule just change the -I to a -D. Like:
Code:
iptables -t nat -D PREROUTING -i br0 -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT

Last edited by win32sux; 07-11-2010 at 01:52 PM.
 
Old 07-11-2010, 01:55 PM   #3
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,782
Blog Entries: 1

Rep: Reputation: 413Reputation: 413Reputation: 413Reputation: 413Reputation: 413
Quote:
Now what I want to do is have certain MAC addresses, be exempt from all those rules. Primarily I would rather have the rules to have these MAC addresses exempt added after these rules get executed...
The main problem with this approach is that iptables rules are evaluated in order and handled according to the first rule match. So if you want to exempt certain MAC addresses from these rules, you have to have the exemptions first.

Quote:
As exempt mac addresses will be added very often and I do not want to have to re-execute my iptables script every time a new mac address is made exempt, as it may cause issues with the transfer of data over the network, for other users.
Unless I'm missing something about iptables, I don't think you can add a new rule and have it picked up without restarting the rule set.

Quote:
When someone connects to the wireless they are subject to the above rules, meaning when they open their browser they are presented with a login page, once they login, the mac address is grabbed by the auth server, and at this point I am trying to figure out how to make their mac address except from the rules of non-authenticated users.
I'm not sure that iptables is the right tool for this job. It sounds more like you want to have two subnets, one that has authorized users and one that doesn't. Unfortunately, I'm not sure you can get one wireless access point to handle two subnets.
 
Old 07-11-2010, 02:06 PM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by Hangdog42 View Post
Unless I'm missing something about iptables, I don't think you can add a new rule and have it picked up without restarting the rule set.
You can (my example above does precisely that).
 
Old 07-11-2010, 09:00 PM   #5
weboy
LQ Newbie
 
Registered: Jul 2010
Posts: 4

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by win32sux View Post
Maybe insert a match for the MAC address at the top of a chain? Like:
Code:
iptables -t nat -I PREROUTING -i br0 -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
To delete the rule just change the -I to a -D. Like:
Code:
iptables -t nat -D PREROUTING -i br0 -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
That works pretty well actually, only issue i'm having with it... Is that the latter command (to delete the rule that was added), does not terminate existing connections. So, basically if the user visits a webpage while they are authenticated, and then they become unauthenticated, that website is still accessible so long as the web browser keeps that connection alive. (This isnt a huge issue, and it may actually end up being better, but it would be nice to know of a way of having this fixed).

For those that are interested below are the commands I am using to permit full network access, I will likely mod this later to only permit access to the internet and not the local network. The second MAC address in those rules is that of my gateway on my network.

Code:
iptables -t nat -I PREROUTING -i br0 -m mac --mac-source 00:21:00:46:21:50 -j ACCEPT
iptables -I FORWARD -i br0 -p tcp -m mac --mac-source 00:21:00:46:21:50 -j ACCEPT
iptables -I FORWARD -i br0 -p udp -m mac --mac-source 00:21:00:46:21:50 -j ACCEPT
iptables -I FORWARD -i br0 -p tcp -m mac --mac-source 00-1c-10-a8-8b-c8 -j ACCEPT
iptables -I FORWARD -i br0 -p udp -m mac --mac-source 00-1c-10-a8-8b-c8 -j ACCEPT
Thanks again!

Last edited by weboy; 07-11-2010 at 09:42 PM.
 
Old 07-12-2010, 07:00 AM   #6
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,782
Blog Entries: 1

Rep: Reputation: 413Reputation: 413Reputation: 413Reputation: 413Reputation: 413
Quote:
Originally Posted by win32sux View Post
You can (my example above does precisely that).

Thanks. As soon as I thought about how iptables actually works with its rules, I realized that my statement couldn't be more wrong.
 
Old 07-17-2010, 09:12 AM   #7
weboy
LQ Newbie
 
Registered: Jul 2010
Posts: 4

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by weboy View Post
That works pretty well actually, only issue i'm having with it... Is that the latter command (to delete the rule that was added), does not terminate existing connections. So, basically if the user visits a webpage while they are authenticated, and then they become unauthenticated, that website is still accessible so long as the web browser keeps that connection alive. (This isnt a huge issue, and it may actually end up being better, but it would be nice to know of a way of having this fixed).

For those that are interested below are the commands I am using to permit full network access, I will likely mod this later to only permit access to the internet and not the local network. The second MAC address in those rules is that of my gateway on my network.

Code:
iptables -t nat -I PREROUTING -i br0 -m mac --mac-source 00:21:00:46:21:50 -j ACCEPT
iptables -I FORWARD -i br0 -p tcp -m mac --mac-source 00:21:00:46:21:50 -j ACCEPT
iptables -I FORWARD -i br0 -p udp -m mac --mac-source 00:21:00:46:21:50 -j ACCEPT
iptables -I FORWARD -i br0 -p tcp -m mac --mac-source 00-1c-10-a8-8b-c8 -j ACCEPT
iptables -I FORWARD -i br0 -p udp -m mac --mac-source 00-1c-10-a8-8b-c8 -j ACCEPT
Thanks again!
Bump on this question.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Binding 2 NICs (MAC addresses) to 2 IP Addresses in same Subnet RedHat EL4.0 skhira Linux - Networking 13 02-24-2008 08:16 PM
iptables doesn't seem to apply new rules to already open TCP connections Ahmed_Baghdad Linux - Networking 2 09-27-2007 02:06 AM
IPTABLES rules with mac address? xpathfinder Linux - Security 3 12-11-2005 09:23 PM
iptables rules with MAC addresses ProtoformX Linux - Networking 5 04-28-2005 07:54 AM
iptables & mac addresses freelinuxcpp Linux - Security 2 12-31-2003 05:22 AM


All times are GMT -5. The time now is 12:48 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration