LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-27-2003, 09:29 AM   #1
retiem
Member
 
Registered: Jul 2003
Location: Frankfurt, Germany
Distribution: Mint, Ubuntu, Knoppix, RHEL
Posts: 65

Rep: Reputation: 15
Question iptables - blocking a host by MAC address


Hi folks,

Please shed some light upon my linux question:

In my LAN, the host with IP 192.68.0.113 has some Winblows virus that is generating outgoing traffic on my network. I donṫ know where this PC is, since it wasnṫ given a DHCP name. I issued the following three commands but they didnṫ stop the traffic:

iptables -I INPUT -s 192.168.0.113 -j DROP
iptables -I OUTPUT -s 192.168.0.113 -j DROP
iptables -I FORWARD -s 192.168.0.113 -j DROP

I wanna try blocking it by its MAC address. How do I do that?

I am running RH9.0

Thanks in advance.
 
Old 08-27-2003, 10:16 AM   #2
yocompia
Member
 
Registered: Apr 2003
Location: Chicago, IL
Distribution: openbsd 3.6, slackware 10.0
Posts: 244

Rep: Reputation: 30
do this (make sure you have the ipt_mac module loaded, too)

iptables -A INPUT -p ALL -m mac --mac-source <insert MAC of offending computer here> -j DROP

this matches the source of the packet to a given MAC, then drops it if it matches (might be obvious, but just in case ). you can also put this in the FORWARD/OUTPUT chain to stop stuff (depends on your iptables).

gl,
y-p
 
Old 08-27-2003, 09:31 PM   #3
tarballedtux
Member
 
Registered: Aug 2001
Location: Off the coast of Madadascar
Posts: 498

Rep: Reputation: 30
What sort of equipment is conncting the PCs in the network? If its Cisco catalyst equipment I might be able to help track the PC down.


--tarballedtux
 
Old 08-28-2003, 01:56 PM   #4
retiem
Member
 
Registered: Jul 2003
Location: Frankfurt, Germany
Distribution: Mint, Ubuntu, Knoppix, RHEL
Posts: 65

Original Poster
Rep: Reputation: 15
Yocompia:

iptables -A INPUT -p ALL -m mac --mac-source <insert MAC of offending computer here> -j DROP

didnṫ work!

I also added

iptables -A FORWARD -p ALL -m mac --mac-source <insert MAC of offending computer here> -j DROP

and tried adding

iptables -A OUTPUT -p ALL -m mac --mac-source <insert MAC of offending computer here> -j DROP

but it would give me an ¨īnvalid argument" error

In any case, I still have the problem. Here is my lsmod output, just in case:

[root@proxy root]# lsmod
Module Size Used by Not tainted
ipt_mac 1208 2
soundcore 7108 0 (autoclean)
autofs 13700 0 (autoclean) (unused)
tulip 44256 1
pcnet32 18304 1
mii 2268 0 [pcnet32]
iptable_filter 2412 1 (autoclean)
ip_tables 15864 2 [ipt_mac iptable_filter]
mousedev 5688 1
keybdev 2976 0 (unused)
hid 22404 0 (unused)
input 6240 0 [mousedev keybdev hid]
usb-uhci 27276 0 (unused)
usbcore 80512 1 [hid usb-uhci]
ext3 72960 3
jbd 56752 3 [ext3]
ips 45088 4
sd_mod 13552 8
scsi_mod 110408 2 [ips sd_mod]
 
Old 08-28-2003, 01:57 PM   #5
retiem
Member
 
Registered: Jul 2003
Location: Frankfurt, Germany
Distribution: Mint, Ubuntu, Knoppix, RHEL
Posts: 65

Original Poster
Rep: Reputation: 15
tarballedtux:

I have an old Cisco 2500 and a few CNET and SMC hubs.
 
Old 08-28-2003, 04:59 PM   #6
tarballedtux
Member
 
Registered: Aug 2001
Location: Off the coast of Madadascar
Posts: 498

Rep: Reputation: 30
If the that particular cisco switch can be consoled. Use these commands to find the station:

Get into EXEC mode and type this command:

show mac-address table <mac address>

If the port it says connected to another switch hopefully its a cisco otherwise you have a lead at the least.


--tarballedtux
 
Old 08-29-2003, 11:58 AM   #7
yocompia
Member
 
Registered: Apr 2003
Location: Chicago, IL
Distribution: openbsd 3.6, slackware 10.0
Posts: 244

Rep: Reputation: 30
it's definitely odd that that rule doesn't work. i have a rule like that to match the MAC of my remote computer and it works fine. here's are some rules (verbatim; except for changed MAC) i have in my iptables:

# allows DHCPACK for setup of w-lan
$IPTABLES -A INPUT -p UDP -i wlan0 --dport 67 --sport 68 -m mac --mac-source <remote MAC> -j ACCEPT

...

# allow ssh in from horatio
$IPTABLES -A INPUT -p TCP -i wlan0 --dport 22 -m mac --mac-source <remote MAC> -j ACCEPT

# only let established/related ssh connections to chimaera in from horatio
$IPTABLES -A INPUT -p TCP -i wlan0 -m state --state ESTABLISHED,RELATED -m mac --mac-source <remote MAC> -j ACCEPT

...

# allows w-lan valid outgoing through, but stops new/invalid connections through wlan0
$IPTABLES -A FORWARD -i ppp0 -o wlan0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i wlan0 -o ppp0 -m state ! --state INVALID -m mac --mac-source <remote MAC> -j ACCEPT

these rules all work on my router/firewall box. it's odd that the rule didn't work, but maybe it has something to do with the cisco stuff that tarballed has been talking about.

gl,
y-p
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables/Mac address InJesus Linux - Security 3 11-17-2005 05:57 AM
portsentry replacement? (automated ip address based host blocking) hlslaughter Linux - Security 1 08-08-2005 07:45 PM
blocking mac address and NAT com90185 Linux - Security 6 03-07-2005 06:37 PM
blocking mac address using iptables Kendo1979 Linux - Networking 9 10-25-2004 04:09 AM
blocking connection through MAC address shahriars Linux - Security 7 06-02-2003 01:45 PM


All times are GMT -5. The time now is 04:39 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration