LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   mac address filtering (https://www.linuxquestions.org/questions/linux-security-4/mac-address-filtering-438151/)

gabsik 04-23-2006 06:49 PM
mac address filtering
 
In my lan i have a router gateway and afther it a linuxbox 2eths being the firewall router than a switch and other servers.I have on the linuxfirewall strict rules to bypass spoofing ,don't let IANA addresses pass through eth0 ,and i'm sometimes getting packets from the router dropped.

Apr 24 01:15:46 argo DROP on eth0: IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00 SRC=192.168.0.1 DST=192.168.0.2 LEN=115 TOS=00 PREC=0x00 TTL=64 ID=24870 DF PROTO=UDP SPT=2062 DPT=514 LEN=95

That 192.168.0.1 is my router.
i was asking me how, in the iso-osi stack ,addresses are handled, passing through the various levels ,cause the mac address above,half is my router the other part is visitor's mac.
Then i have started playing with subnetting the router bit, with a 192.168.0.1/255.255.255.253 which should do the trik , but is not!If i "play" with mac addresses and iptables instead?The people connecting to mylan will have all my router mac address so the risk is to stop or free entry for all traffic... it's getting difficult.An advice ?

ps.
hope my english was clear !!!

gabsik 04-24-2006 10:22 AM
So people connecting to my lan they all are going to have my router ip so any antispoof measure is pointless ,maybe subnetting 192.168.0.1 (router) 192.168.0.2 (linuxbox firewall eth0) like this 192.168.0.0/30 and an :
iptables -A INPUT -i eth0 -s ! 192.168.0.0/30 -j DROP
or
iptables -A INPUT -m mac --mac-source ! 00:0F:EA:91:04:08(router MAC) -j DROP

I hope this time you all understood!

gabsik 04-25-2006 08:16 PM
I'll put it in the simplest and clearest form,i have before my linuxfirewallbox a router 192.168.0.1 this in my firewall script to prevent spoofing :
# IANA private IPv4 address space
$IPT -t nat -A PREROUTING -i $INT -s 127.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -i $INT -s 128.0.0.0/16 -j DROP
$IPT -t nat -A PREROUTING -i $INT -s 169.254.0.0/16 -j DROP
$IPT -t nat -A PREROUTING -i $INT -s 172.16.0.0/12 -j DROP
$IPT -t nat -A PREROUTING -i $INT -s 191.255.0.0/16 -j DROP
$IPT -t nat -A PREROUTING -i $INT -s 192.0.0.0/24 -j DROP
$IPT -t nat -A PREROUTING -i $INT -s 192.0.2.0/24 -j DROP
$IPT -t nat -A PREROUTING -i $INT -s 192.88.99.0/24 -j DROP
$IPT -t nat -A PREROUTING -i $INT -s 192.168.0.0/16 -j DROP <--------------------
$IPT -t nat -A PREROUTING -i $INT -s 198.18.0.0/15 -j DROP
$IPT -t nat -A PREROUTING -i $INT -s 224.0.0.0/4 -j DROP
$IPT -t nat -A PREROUTING -i $INT -s 240.0.0.0/4 -j DROP

I don't want to DROP my router.To not include 192.168.0.1 and 192.168.0.2 (eth0 firewall) in the DROP , if i do -A PREROUTING -i eth0 -s ! 192.168.0.0/30 -j DROP taking down 2 bits of 32(192.168.0.1,192.168.0.2) , does it make any sense ????
Second question people connecting to me are all going to have my router ip ????No isn't it!

Capt_Caveman 04-25-2006 09:38 PM
If I'm understanding your question and network correctly, any packets that the router forwards in/out of the LAN are going to have the routers MAC as the source. Anytime the packets are forwarded the layer2 headers are stripped and replaced. So as you send a packet to google it looks something like this:
Code:
(S:YOUR_MAC,D:YOUR_ROUTER_MAC)<--->{S:YOUR_ROUTER_MAC,D:INT_ROUTER1)<---->(S:INT_ROUTER1,D:INT_ROUTER2)<--->(S:INT_ROUTER2,D:GOOG_NIC)
The IP addresses should stay the same from hop to hop, unless you have some kind of NAT going on (SNAT/DNAT). If the packet is indeed coming from outside the LAN, then the source IP should stay the same. When you send a reply back, *then* the router modifies the IP address (layer3) and strips off the layer2 MAC header.

If your linux box has a router in front of it with an IP address in IANA, then you don't want to filter that IANA address (at least not outright). Depending on the type of router (cameo communications?), it may or may not have it's own firewalling capability which you should determine. If so, configure it to block inbound traffic. If not, then you can block packets coming from the routers IP that have an abnormal TTL value (still forgeable). You can determing the proper TTL using tcpdump/ethereal.

Personally I would be suprised if the router would even forward external packets into the LAN if the IP was spoofed like that. You may want to setup a little test system with 2 machines on either side of the router and see if you can get spoofed packets through. If you can, I'd look for a new router.

gabsik 04-26-2006 12:56 AM
That's right as i said it in the first post.Mac address changes , ip stay the same.I wanted to start filtering based on mac addresses,but what you think of ! 192.168.0.0/30 -j DROP ?I'm testing this out.The router is a netgear,has linux inside kernel 2.4,an http daemon and router daemon i don't remember the name.i can configure it only by browser,no shell,and has a firewall offcourse,just DROP-ACCEPT .Many people told me what? 2 gateways?what's the point?Well!Sometimes become even tree when i plug the laptop.The linux box hasn't got pppd daemon,drivers to find,compatibility for drivers,firmwares,etc.The router has a pppd connects me automatically,and as i call it is a firewall hardware,my lan is safe.

Capt_Caveman 04-26-2006 07:00 PM
Ok. so if your router has a built-in firewall, make sure that is enabled and it should block all undesired traffic from the internet, including spoofed packets using the 192.168.0.1 address.

The problem with blocking that MAC using iptables on the linux box is that all packets (regardless of the source) that are forwarded by the netgear router are going to have *its* MAC address. For example, say I was to ping your box right now from the machine I'm on. When I send the ping packet, it will have the MAC address of my machines NIC. When it passes through my router, the MAC header is stripped and will now have the source MAC of my router. The header is then replaced again as it passes through each router on the internet. When it reaches your router it will not have my MAC address as the source, but rather the MAC of your ISPs router that is connected to you. As your router forwards the packet to you, the header is replaced for the last time and is given the source MAC of your router. So even though the packet came from me it has *your routers* MAC on it. So the problem is that all packets forwarded by your router will have it's MAC address. If you do:

mac-source ! 00:0F:EA:91:04:08(router MAC) -j DROP

that isn't going to drop anything, 'cause all packets are going to have that MAC if they pass through the router. So you can't do MAC filtering in your situation. You can simply block IPs that don't belong to the router and allow 192.168.0.1. You don't need to worry about allowing 192.168.0.2 because you should never see packets coming *in* the external interface with your own IP.

gabsik 04-27-2006 05:44 AM
So if i subnet the router(192.168.0.1) and the linux firewall box eth0(192.168.0.2) like this 00000011 192.168.0.0/2 or 192.168.0.0/30 ... please help !!!

Capt_Caveman 04-27-2006 08:03 AM
Just add those 2 IPs as "whitelist" rules that use the ACCEPT target and the have a rule that drops the entire range:
iptables -A INPUT -s 192.168.0.1 -j ACCEPT
iptables -A INPUT -s 192.168.0.2 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/16 -j DROP

WRT to subnetting, you can probably use 192.168.0.0/30 (255.255.255.252), but I'm not sure why you want to do that. If you only have the router and the single host on the network, then there isn't any real need to break the LAN into small logical subnets in that way.

gabsik 04-27-2006 08:23 AM
You are right there is always a simpler way of doing things and i always take the hardest .... thanks !


All times are GMT -5. The time now is 08:44 PM.